No news here. The author's site indicates that he found the bug under IRIX 6.2. That release of IRIX is around 5 years old. SGI released a Security Advisory on the netprint issue in December of 1996 which included information on a patch which fixes it. See SGI's security site at: http://www.sgi.com/support/security/index.html I tested the exploit against a current IRIX release (6.5.11) and found it not to be vulnerable. Rule of thumb: If your sysadmin hasn't done an OS upgrade or applied patches in over four years, there are likely to be some significant security issues. v9at_private writes: > i haven't audited anything in some time. well, i > just noticed this because i am doing a project > with a name similar to "netprint" and i was > wondering if it was at all related to what i was > doing. it wasn't. but, i noticed it was setuid > root and had a little bug. > > this bug takes advantage of the -n option witch > has a bug that allows for arbitrary commands to be > executed. > > exploit source code: > http://realhalo.org/xnetprint.c > > Vade79 -> v9at_private -> realhalo.org. -- /* Dale Southard Jr. southard1at_private 925-422-1463 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-550, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */
This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 23:59:12 PDT