vendor:
Netprint Program
by:
SecurityFocus
7.2
CVSS
HIGH
Privilege Escalation
264
CWE
Product Name: Netprint Program
Affected Version From: Irix 6.x and 5.x
Affected Version To: Irix 6.x and 5.x
Patch Exists: No
Related CWE: N/A
CPE: o:sgi:irix:6.x
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Irix
2002
Netprint Program Vulnerability
A vulnerability exists in the netprint program, shipping with Irix 6.x and 5.x by Silicon Graphics. The netprint program calls the "disable" command via a system() call, without specifying an explicit path. Therefore, any program in the path named disable can be executed as user lp. However, one can go further if BSD printing subsystem is installed. /usr/spool/lpd is owned by lp, and it's the place where lpd writes lock file. lpd is also root/suid. So one replaces /usr/spool/lpd/lpd.lock with a symlink to /etc/passwd and runs lpd, passwd gets nuked. Then one repeats netprint trick, and, voila, disable now runs as root, because lp is not found in passwd. Kinda neat.
Mitigation:
Disable the netprint program or restrict access to it.
