[20492] in bugtraq
Re: IRIX /usr/lib/print/netprint local root symbols exploit.
daemon@ATHENA.MIT.EDU (Dale Southard)
Fri Apr 27 20:48:11 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <ub6ae52mmpy.fsf@zonker.llnl.gov>
Date: Fri, 27 Apr 2001 07:38:49 -0700
Reply-To: Dale Southard <southard1@LLNL.GOV>
From: Dale Southard <southard1@LLNL.GOV>
X-To: Atro.Tossavainen@helsinki.fi
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200104270948.f3R9mP405653@sirppi.helsinki.fi>
Atro Tossavainen <atossava@cc.helsinki.fi> writes:
> > I tested the exploit against a current IRIX release (6.5.11) and found
> > it not to be vulnerable.
>
> How exactly did you find 6.5.11 not to be vulnerable?
>
> I tried the sploit on 6.5.10 and didn't get root. It complained about
> the lack of the ListAllPrinters symbol.
>
> Add the symbol in the sploit code, recompile, try again. 6.5.10 is
> vulnerable, is 6.5.11?
I'd be interested in seeing what symbol you added: here's a test on
6.5.5:
mybox 27% uname -R
6.5 6.5.5m
mybox 28% id
uid=45731(dsouth) gid=40
mybox 29% ./xnetprint /bin/sh
[(IRIX)netprint[] local root exploit, by: v9[v9@realhalo.org]. ]
[*] making symbols source file for netprint to execute.
[*] done, now compiling symbols source file.
[*] done, now checking to see if the symbols source compiled.
[*] done, now executing netprint.
netprint: this command for use only by LP Administrators
mybox 30% id
uid=45731(dsouth) gid=40
If I run the above as root, I do get the complaint about a missing
ListAllPrinters symbol, but requiring root seems a bit
counter-productive for a sploit. ;-)
--
/* Dale Southard Jr. southard1@llnl.gov 925-422-1463 */
/* Computer Scientist, Accelerated Strategic Computing Initiative */
/* L-550, Lawrence Livermore National Lab, Livermore CA 94551 */
/* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */
