-----BEGIN PGP SIGNED MESSAGE----- Hello! While casually looking for SETUID binaries in a newly installed SCO 5.0.2 box, I have discovered that normal users with lp access (the default) may cause headaches to the system administrador. Details: System: SCO 5.0.2 Enterprise (5.0.4 too?) Plain Vanilla Intel Server OK. We are all clean. Exploit 1) Normal users can remove text files under /tmp. The lp command won't even try to "print" (and remove afterwards) binary or executable programs. There may be a way around this, but I haven't tried to find it. $ lp -R /tmp/text_file_to_be_removed The switch -R causes the removal of the file, after printing. This exploit won't work in dirs that don't have the sticky bit set. Exploit 2) This is even better, but only works if your lp subsystem has a file named /var/spool/lpd/lock. With this file in place, the lp command will enable the "-L live" option. With this, you can write to *any* file in the system. And even better, the file will be mode 600, owned by root... Just do: $ lp -L live=/any_file_in_the_system blablabla ^D And that's it. You can type anything you want/need. I'd like to know if these problems are still valid on 5.0.4. I couldn't find any mention of this problem on the SCO site. Older versions of SCO may exhibit this problem, since many of these have /usr/bin/lp setuid to root. Regards Paganini -----BEGIN PGP SIGNATURE----- Version: 2.6.3in Charset: latin1 iQCVAwUBNYlHbc6C8KwDKBjZAQEVPAP+K6B07p/0XRBHqrOLqq3vUsf/vRmuDZnr 3xguLKKoI2uFQlgQKp0Za2K9B9kB0eVNml0fsevN1YuaAmDVrclG2l/tDc/OZg9r PuKzoUZTy1FMA0NNE5e+/cVxrCSBjO7UpxSSozWQZTUD9DbnLEqhj7NXYTSTCNb/ S/yptRYXBaQ= =ItpN -----END PGP SIGNATURE----- -- Marco Paganini | UNIX / Networking consultant paganiniat_private | PGP: http://www.paganini.net/pgpkey.txt (RSA) http://www.paganini.net | Fingerprint: 8734555AEDCF04D3A2E3A98A34E253D9
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:58:44 PDT