Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2275
HistoryDec 17, 2001 - 12:00 a.m.

HP-UX setuid rlpdaemon induced to make illicit file writes

2001-12-1700:00:00
vulners.com
17

(This may have gone AWOL before. If there was a reason for the
moderator dropping it I'd be interested to know. G.B.)

THE PROBLEM
/usr/sbin/rlpdaemon in HP-UX is setuid root. Switches include "-l" to
enable logging and "-L /some/thing" to select a logfile other than the
default. When run by a non-root user it can create/append a logfile owned
by root. With a little care (and a copy of RFC1179) a local user can supply
data to add to files he chooses and thereby get root. The victim doesn't
actually need to have any printers configured.

THE TEST
10.20 and 11.00 are affected - maybe all versions before November 2001.
As a non-root user run "rlpdaemon -i -l -L /existing_directory/new_file".
If the logfile created is owned by root you have the bug. Patched systems
quit silently if "-i" is used and print " Unable to open/create logfile"
if "-l -L" is used.

THE FIX
HP's alert "Sec. Vulnerability in rlpdaemon" (HPSBUX0111-176) was released
2001-11-20 and describes this as a "logic flaw vulnerability". Because
the patches fix more than one problem you should definitely aim to have
them installed unless you remove rlpdaemon.

THE HISTORY
This was reported (with exploit) to [email protected] on 2001-08-08.

THE GREETZ
Mark, Mark, Mark, Lance, Huge, Clarkie

THE GRUMBLES
advisories not containing clear TEST and FIX sections

THE AUTHOR
http://brinkie.xs4all.nl/~robert/originals/dcp01012.jpg
far left in this shot from the collection at http://www.hal2001.org