Date: Sun, 13 Sep 1998 21:17:42 -0500
From: "base16@flash.net" <base16@FLASH.NET>
To: BUGTRAQ@netspace.org
Subject: tmp exploit with redhat printfilter?
Excuse me if this has already been posted, or its just a stupid thing that
poses no threat whatsoever to system security.
It seems the RedHat print filter contains the following lines:
if [ ${i##*:} = "DONE" ]; then
if [ "$DEBUG_FILTER" != "" ]; then
echo "$root -> depth = $depth" >> /tmp/filter.debug
fi
Well, this is most certianly not good because of obvious symlink reasons.
This could be a major hole if the filter is called by lpr, which happens
to be suid.
egor:~$ ls -l $(which lpr)
-r-sr-sr-x 1 root lp 15164 May 5 18:24 /usr/bin/lpr*
I'm just a clueless newbie who thinks he found a hole of sorts, so if this
is nothing big, or it does not run suid or whatnot, please dont flame me
too much.
--
base16
http://egor.dyn.ml.org/
