发布时间 :1997-01-04 00:00:00
修订时间 :2016-10-17 22:01:30

[原文]netprint in SGI IRIX 6.4 and earlier trusts the PATH environmental variable for finding and executing the disable program, which allows local users to gain privileges.

[CNNVD]SGI IRIX权限许可漏洞(CNNVD-199701-042)

        SGI IRIX 6.4版本及之前版本查找并执行无效程序时信任PATH环境变量,本地用户可以获得特权。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sgi:irix:6.4SGI IRIX 6.4
cpe:/o:sgi:irix:6.3SGI IRIX 6.3
cpe:/o:sgi:irix:5.3SGI IRIX 5.3
cpe:/o:sgi:irix:6.2SGI IRIX 6.2
cpe:/o:sgi:irix:6.1SGI IRIX 6.1
cpe:/o:sgi:irix:6.0SGI IRIX 6.0
cpe:/o:sgi:irix:6.0.1SGI IRIX 6.0.1

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  SGI  19961203-01-PX
(VENDOR_ADVISORY)  SGI  19961203-02-PX
(UNKNOWN)  BUGTRAQ  19970104 Irix: netprint story
(VENDOR_ADVISORY)  XF  sgi-netprint(2107)

- 漏洞信息

SGI IRIX权限许可漏洞
中危 未知
1997-01-04 00:00:00 2005-05-02 00:00:00
        SGI IRIX 6.4版本及之前版本查找并执行无效程序时信任PATH环境变量,本地用户可以获得特权。

- 公告与补丁


- 漏洞信息 (19313)

SGI IRIX <= 6.4 netprint Vulnerability (EDBID:19313)
irix local
1997-01-04 Verified
0 Yuri Volobuev
N/A [点击下载]

A vulnerability exists in the netprint program, shipping with Irix 6.x and 5.x by Silicon Graphics. The netprint program calls the "disable" command via a system() call, without specifying an explicit path. Therefore, any program in the path named disable can be executed as user lp.

% cat > /tmp/disable
cp /bin/sh /tmp/lpshell
chmod 4755 /tmp/lpshell
% set path=(. $path)
% netprint -n blah -h blah -p blah 1-234
% /tmp/lpshell

However, one can go further if BSD printing subsystem is installed. /usr/spool/lpd is owned by lp, and it's the place where lpd writes lock file. lpd is also root/suid. So one replaces /usr/spool/lpd/lpd.lock with a symlink to /etc/passwd and runs lpd, passwd gets nuked. Then one repeats netprint trick, and, voila, disable now runs as root, because lp is not found in passwd. Kinda neat. 

- 漏洞信息

IRIX netprint PATH Subversion Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

IRIX contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the netprint program calls the disable command via a system() call without supplying an absolute path. The PATH environment variable for finding and executing the disable program can be trivially modified by a malicious user. This flaw may lead to a loss of integrity.

- 时间线

1996-12-27 Unknow
1997-01-04 Unknow

- 解决方案

Silicon Graphics, Inc. has released a patch to address this vulnerability. It is possible to correct the flaw by implementing the following workaround: /usr/sbin/versions -v remove print Take note that the 2022 patch for version 6.2 will patch all vulnerable versions and is the only patch available for other versions. For example, in the patch directory for 6.1 or 6.3, there is no patch for this vulnerability. As a result, the 2022 for 6.2 must be used.

- 相关参考

- 漏洞作者