Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: HP/UX :: hpux4934.htm

rlpdaemon illicit file writes



18th Dec 2001 [SBWID-4934]
COMMAND

	rlpdaemon illicit file writes

SYSTEMS AFFECTED

	10.20 and 11.00 are affected

PROBLEM

	G.Borglum reported following :
	

	/usr/sbin/rlpdaemon in HP-UX is setuid root. Switches include \"-l\"  to
	enable logging and \"-L /some/thing\" to select  a  logfile  other  than
	the default. When run by a non-root user it can create/append a  logfile
	owned by root. With a little care (and a copy of RFC1179) a  local  user
	can supply data to add to files he chooses and  thereby  get  root.  The
	victim doesn\'t actually need to have any printers configured.
	

	 Test

	 ====

	

	As    a    non-root    user     run     \"rlpdaemon     -i     -l     -L
	/existing_directory/new_file\". If the logfile created is owned by  root
	you have the bug. Patched systems quit silently if \"-i\"  is  used  and
	print \" Unable to open/create logfile\" if \"-l -L\" is used.
	

	

SOLUTION

	HP\'s alert \"Sec. Vulnerability  in  rlpdaemon\"  (HPSBUX0111-176)  was
	released   2001-11-20   and   describes   this   as   a   \"logic   flaw
	vulnerability\". Because the patches  fix  more  than  one  problem  you
	should  definitely  aim  to  have  them  installed  unless  you   remove
	rlpdaemon.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH