Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1997_1

Bugtraq archives for 1st quarter (Jan-Mar) 1997: Irix: netprint story

Irix: netprint story

Yuri Volobuev (volobuevt1.chem.umn.edu)
Sat, 4 Jan 1997 14:22:33 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Wietse Venema: "Re: serious security bug in wu-ftpd v2.4"
Previous message: Rene Janssen: "Re: serious security bug in wu-ftpd v2.4"

Howdy,

A while back, I found a hole in /usr/lib/print/netprint.  Since it's a
pretty important program, and it has to be root/suid, unlike many others
found in Irix, I decided to use it as a test case and find out what happens
if one selects to "work" with vendor, without disclosing the vulnerability
publically.  The experiment was sort of successful.  Sometime late Nov, a
week before the Thanskgiving or so, I sent a problem report to SGI.  The
problem was fixed relatively quickly, in a couple of days, then it just took
them a month to release a patch+advisory (btw, I didn't receive that
advisory, I wonder why, I thought I'm subscribed to wiretap).  Advisory id
is 19961203-01-PX, it can be found at
ftp://sgigate.sgi.com/Security/19961203-01-PX, accompanied by patches.
And, yes, Virginia, it does acknoledge me.  So in a sense it's a happy-end
story.  Have enough patience, wait enough time, and they may fix it.  Amen.

The actual vulnerability is quite ugly.  netprint has system("disable")
call, i.e. it calls a program without specifying absolute path.  At the
moment the call is made, uid=lp.  So lp priorities can be trivially
obtained.

/usr/lib/print/netprint -n blah -h blah -p blah 1-234

and whatever program named  disable  is first in the PATH will be executed
as lp.

However, one can go further if BSD printing subsystem is installed.
/usr/spool/lpd is owned by lp, and it's the place where lpd writes lock
file.  lpd is also root/suid.  So one replaces
/usr/spool/lpd/lpd.lock with a symlink to /etc/passwd and runs lpd, passwd
gets nuked.  Then one repeats netprint trick, and, voila, disable now runs
as root, because lp is not found in passwd.  Kinda neat.

As far as I can tell, patch does fix that.  New netprint works in a strange
way, though.  Now if I try to run netprint, it wouldn't proceed because I'm
not lp.  I thought this would be easier to accomplish by removing
world-executable bit, but may be I'm missing something.  In any case,
install patch 1685/1686 right away.

So, a happy story for a New Year.  One can only wish they release a patch a
little bit quicker, but it's something to work on.  AUSCERT was pretty nice
discussing this problem with me, btw.  Mike Kienenberger was doing great job
pushing SGI as a customer, the fact that patch is out _this_ year is partly
due to his work.

Cheers and Happy New Year everybody,

yuri,
Always speaking for myself and only for myself

Next message: Wietse Venema: "Re: serious security bug in wu-ftpd v2.4"
Previous message: Rene Janssen: "Re: serious security bug in wu-ftpd v2.4"