|
|
| |
| /usr/sbin/rlpdaemon in HP-UX is setuid root. Its switches include "-l" to enable logging and "-L /some/thing" to select a logfile other than the default. When run by a non-root user it can create/append a logfile owned by root. With a little care (and a copy of RFC1179), a local user can supply data to add to files he chooses and thereby get root. The victim does not actually need to have any printers configured. |
| |
Credit:
The information has been provided by G.Borglum.
|
| |
Vulnerable systems:
HP-UX 10.20
HP-UX 11.00
Example:
As a non-root user run:
$ rlpdaemon -i -l -L /existing_directory/new_file
If the logfile created is owned by root you have the bug. Patched systems quit silently if "-i" is used and print " Unable to open/create logfile" if "-l -L" is used.
Solution:
HP's alert "Sec. Vulnerability in rlpdaemon" (HPSBUX0111-176) was released 2001-11-20 and describes this as a "logic flaw vulnerability". Because the patches fix more than one problem you should definitely aim to have them installed unless you remove rlpdaemon.
|
|
|
