[14746] in bugtraq
Re: Solaris/SPARC 2.7 lpset exploit (well not likely !)
daemon@ATHENA.MIT.EDU (Casper Dik)
Tue May 2 17:49:52 2000
Message-Id: <200005011508.RAA12601@romulus.Holland.Sun.COM>
Date: Mon, 1 May 2000 17:08:59 +0200
Reply-To: Casper Dik <Casper.Dik@HOLLAND.SUN.COM>
From: Casper Dik <Casper.Dik@HOLLAND.SUN.COM>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Thu, 27 Apr 2000 14:33:05 +0300."
<39082571.8FB67869@gsu.linux.org.tr>
>lpset seems to use strcat() to pass the argument for -r flag
> ( /usr/lib/print/lib/../../../../tmp/foo) and appends .so to the end.
>in this case /tmp/foo.so is going to be dlopen
>but there is a special case /usr/lib/print/lib directory has to exist.
>xploit shell script is attached.
Is there any case in which the directory is created on a standard system?
Also, the code that has this bug (henceforth known as Sun bug #4334568)
was removed in Solaris 8.
Casper
