A vulnerability exists in the netprint program, shipping with Irix 6.x and 5.x by Silicon Graphics. The netprint program calls the "disable" command via a system() call, without specifying an explicit path. Therefore, any program in the path named disable can be executed as user lp.
% cat > /tmp/disable
cp /bin/sh /tmp/lpshell
chmod 4755 /tmp/lpshell
% set path=(. $path)
% netprint -n blah -h blah -p blah 1-234
However, one can go further if BSD printing subsystem is installed. /usr/spool/lpd is owned by lp, and it's the place where lpd writes lock file. lpd is also root/suid. So one replaces /usr/spool/lpd/lpd.lock with a symlink to /etc/passwd and runs lpd, passwd gets nuked. Then one repeats netprint trick, and, voila, disable now runs as root, because lp is not found in passwd. Kinda neat.
IRIX contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the netprint program calls the disable command via a system() call without supplying an absolute path. The PATH environment variable for finding and executing the disable program can be trivially modified by a malicious user. This flaw may lead to a loss of integrity.
Silicon Graphics, Inc. has released a patch to address this vulnerability. It is possible to correct the flaw by implementing the following workaround:
/usr/sbin/versions -v remove print
Take note that the 2022 patch for version 6.2 will patch all vulnerable versions and is the only patch available for other versions. For example, in the patch directory for 6.1 or 6.3, there is no patch for this vulnerability. As a result, the 2022 for 6.2 must be used.