Vulnerability Development mailing list archives
aix __ bos.rte.printers __ format string vulnerability
From: "Sergey Kuprin" <Sergey.Kuprin () warehouse ru>
Date: Mon, 5 Jan 2004 14:07:09 +0300
there is a local (and possibly remote) format string vulnerability in
package bos.rte.printers.
feeding /usr/bin/enq with arguments containing formatstring characters it
can result in seg_fault.
the research of this problem with acknowledgements of exact arguments and
configuration types
wasn't done.
the enq utility is a part of qdaemon printing system. it can be called in
different cases.
so in special cases it is possible to force pass formatstring via print
queue. it isn't checked on
practice.
as enq-utility on most systems have suid-flag, we can gain privileges of
owner (typicaly root).
as mentioned we have local and remote formatstring bug with ability to gain
root privileges.
to prove local vulnerabily we must have permissions to execute enq and
construct formatstring
which executes our code. to prove remote vulnerabily the closer view and
investigation is needed.
(ruff@first) /home/ruff> oslevel
4.3.3.0
(ruff@first) /home/ruff> ls -alF /usr/bin/enq
-r-sr-sr-x 1 root printq 69980 Apr 20 2001 /usr/bin/enq*
(ruff@first) /home/ruff> lslpp -h bos.rte.printers
Fileset Level Action Status Date Time
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.rte.printers
4.3.3.75 COMMIT COMPLETE 10/25/03 22:50:17
Path: /etc/objrepos
bos.rte.printers
4.3.3.75 COMMIT COMPLETE 10/25/03 22:50:17
(ruff@first) /home/ruff> enq -P%08x%08x%08x%08x%08x%08x
enq: (FATAL ERROR): Bad queue or device name:
2ff20dae0000000000000000000000000000000100808080.
(ruff@first) /home/ruff> enq -P%n%n
enq: (FATAL ERROR): Bad queue or device name: Segmentation fault
(ruff@first) /home/ruff>
Current thread:
- aix __ bos.rte.printers __ format string vulnerability Sergey Kuprin (Jan 05)
- Re: aix __ bos.rte.printers __ format string vulnerability Jose Carlos Luna Duran (Jan 08)