mailing list archives
Security problems on SCO's lp subsystem
From: paganini () paganini net (Marco Paganini)
Date: Thu, 18 Jun 1998 15:00:45 -0300
-----BEGIN PGP SIGNED MESSAGE-----
While casually looking for SETUID binaries in a newly installed
SCO 5.0.2 box, I have discovered that normal users with lp access
(the default) may cause headaches to the system administrador.
System: SCO 5.0.2 Enterprise (5.0.4 too?)
Plain Vanilla Intel Server
OK. We are all clean.
Normal users can remove text files under /tmp. The lp command won't even
try to "print" (and remove afterwards) binary or executable programs.
There may be a way around this, but I haven't tried to find it.
$ lp -R /tmp/text_file_to_be_removed
The switch -R causes the removal of the file, after printing.
This exploit won't work in dirs that don't have the sticky bit set.
This is even better, but only works if your lp subsystem has a file named
/var/spool/lpd/lock. With this file in place, the lp command will enable
the "-L live" option. With this, you can write to *any* file in the system.
And even better, the file will be mode 600, owned by root...
$ lp -L live=/any_file_in_the_system
And that's it. You can type anything you want/need.
I'd like to know if these problems are still valid on 5.0.4. I couldn't
find any mention of this problem on the SCO site. Older versions of SCO
may exhibit this problem, since many of these have /usr/bin/lp setuid to
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
Marco Paganini | UNIX / Networking consultant
paganini () paganini net | PGP: http://www.paganini.net/pgpkey.txt (RSA)
http://www.paganini.net | Fingerprint: 8734555AEDCF04D3A2E3A98A34E253D9
- Security problems on SCO's lp subsystem Marco Paganini (Jun 18)