Irix netprint vulnerability

Summary
Description:standard system() call/path hole
Author:Yuri Volobuev <volobuev@t1.chem.umn.edu&rt;
Compromise: root (local)
Vulnerable Systems:IRIX with vulnerable Netprint
Date:4 January 1997
Details

Exploit: 

Date: Sat, 4 Jan 1997 14:22:33 -0600
From: Yuri Volobuev 
To: Multiple recipients of list BUGTRAQ 
Subject: Irix: netprint story
 
Howdy,
 
A while back, I found a hole in /usr/lib/print/netprint.  Since it's a
pretty important program, and it has to be root/suid, unlike many others
found in Irix, I decided to use it as a test case and find out what happens
if one selects to "work" with vendor, without disclosing the vulnerability
publically.  The experiment was sort of successful.  Sometime late Nov, a
week before the Thanskgiving or so, I sent a problem report to SGI.  The
problem was fixed relatively quickly, in a couple of days, then it just took
them a month to release a patch+advisory (btw, I didn't receive that
advisory, I wonder why, I thought I'm subscribed to wiretap).  Advisory id
is 19961203-01-PX, it can be found at
ftp://sgigate.sgi.com/Security/19961203-01-PX, accompanied by patches.
And, yes, Virginia, it does acknoledge me.  So in a sense it's a happy-end
story.  Have enough patience, wait enough time, and they may fix it.  Amen.
 
The actual vulnerability is quite ugly.  netprint has system("disable")
call, i.e. it calls a program without specifying absolute path.  At the
moment the call is made, uid=lp.  So lp priorities can be trivially
obtained.
 
/usr/lib/print/netprint -n blah -h blah -p blah 1-234
 
and whatever program named  disable  is first in the PATH will be executed
as lp.
 
However, one can go further if BSD printing subsystem is installed.
/usr/spool/lpd is owned by lp, and it's the place where lpd writes lock
file.  lpd is also root/suid.  So one replaces
/usr/spool/lpd/lpd.lock with a symlink to /etc/passwd and runs lpd, passwd
gets nuked.  Then one repeats netprint trick, and, voila, disable now runs
as root, because lp is not found in passwd.  Kinda neat.
 
As far as I can tell, patch does fix that.  New netprint works in a strange
way, though.  Now if I try to run netprint, it wouldn't proceed because I'm
not lp.  I thought this would be easier to accomplish by removing
world-executable bit, but may be I'm missing something.  In any case,
install patch 1685/1686 right away.
 
So, a happy story for a New Year.  One can only wish they release a patch a
little bit quicker, but it's something to work on.  AUSCERT was pretty nice
discussing this problem with me, btw.  Mike Kienenberger was doing great job
pushing SGI as a customer, the fact that patch is out _this_ year is partly
due to his work.
 
Cheers and Happy New Year everybody,
 
yuri,
Always speaking for myself and only for myself
More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: