[7937] in bugtraq
tmp exploit with redhat printfilter?
daemon@ATHENA.MIT.EDU (base16@flash.net)
Mon Sep 14 00:35:14 1998
Date: Sun, 13 Sep 1998 21:17:42 -0500
Reply-To: "base16@flash.net" <base16@FLASH.NET>
From: "base16@flash.net" <base16@FLASH.NET>
To: BUGTRAQ@NETSPACE.ORG
Excuse me if this has already been posted, or its just a stupid thing that
poses no threat whatsoever to system security.
It seems the RedHat print filter contains the following lines:
if [ ${i##*:} = "DONE" ]; then
if [ "$DEBUG_FILTER" != "" ]; then
echo "$root -> depth = $depth" >> /tmp/filter.debug
fi
Well, this is most certianly not good because of obvious symlink reasons.
This could be a major hole if the filter is called by lpr, which happens
to be suid.
egor:~$ ls -l $(which lpr)
-r-sr-sr-x 1 root lp 15164 May 5 18:24 /usr/bin/lpr*
I'm just a clueless newbie who thinks he found a hole of sorts, so if this
is nothing big, or it does not run suid or whatnot, please dont flame me
too much.
--
base16
http://egor.dyn.ml.org/
