|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Linux & BSD's lpr exploit
Elliot Lee (sopwith
cuc.edu)Thu, 31 Oct 1996 19:55:48 -0500
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Scriptors of DOOM: "Re: Linux & BSD's lpr exploit"
- Previous message: Tung-Hui Hu: "BoS: (Another) vulnerability in new SGIs"
- In reply to: Capitan: "Re: Linux & BSD's lpr exploit"
On Wed, 30 Oct 1996, Capitan wrote: > I tried to use the lpr exploit on my machine which runs Redhat 4.0. > It says "lpr: lp: unknown printer". It is setuid. I was wondering if you > could set lp so that the program would work. You could do it by > enviroment variable, but what would you set it to if there isn't a printer > for the machine. Is it just not possible for the bug to work on Redhat > 4.0? I would hate for one of my users to find a way to exploit it after i > thought it was safe. My kernel version is 2.0.23, but I'm going to > upgrade it to 2.0.24 tonight. There is an update out for lpr - run the following command as root, and stop and start lpr, to fix: rpm -Uvh \ ftp://ftp.redhat.com/pub/redhat/redhat-4.0/updates/i386/lpr-0.12-1.i386.rpm Personally I think the world should start using LPRng (which doesn't need things to be setUID at all, and is more secure in other aspects as well) but again, that's just my opinion :) -- Elliot A: "Talk about stupidity!" B: "Who, you?" A: "No, me!"
- Next message: Scriptors of DOOM: "Re: Linux & BSD's lpr exploit"
- Previous message: Tung-Hui Hu: "BoS: (Another) vulnerability in new SGIs"
- In reply to: Capitan: "Re: Linux & BSD's lpr exploit"