[20488] in bugtraq
Re: IRIX /usr/lib/print/netprint local root symbols exploit.
daemon@ATHENA.MIT.EDU (Atro Tossavainen)
Fri Apr 27 20:07:25 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID: <200104270944.f3R9ib204747@sirppi.helsinki.fi>
Date: Fri, 27 Apr 2001 12:44:37 +0300
Reply-To: Atro.Tossavainen@helsinki.fi
From: Atro Tossavainen <atossava@CC.HELSINKI.FI>
X-To: v9@REALHALO.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010426055110.18258.qmail@securityfocus.com> from
"v9@REALHALO.ORG" at "Apr 26, 2001 05:51:10 am"
> this bug takes advantage of the -n option witch
> has a bug that allows for arbitrary commands to be
> executed.
>
> exploit source code:
> http://realhalo.org/xnetprint.c
In the form you give it, it doesn't work against IRIX 6.5.10, it
complains about the symbol ListAllPrinters being missing.
Adding the symbol results in gaining root, but it does require lp first.
Of course, since many SGI systems come with the lp account enabled
without a password, that would often be a trivial prerequisite.
--
Atro Tossavainen (Mr.) / The Institute of Biotechnology at
Systems Analyst, Techno-Amish & / the University of Helsinki, Finland,
+358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own.
< URL : http : / / www . iki . fi / atro . tossavainen / >
