COMMAND

    /usr/lib/print/netprint

SYSTEMS AFFECTED

    IRIX 5.3, 6.1, 6.2, 6.3, 6.4.

PROBLEM

    The  /usr/sbin/print/netprint  program  is  used  by  the printing
    system installed on all SGI systems.

    netprint  has  system("disable")  call,  i.e.  it  calls a program
    without  specifying  absolute  path.   At  the  moment the call is
    made, uid=lp.  So lp priorities can be trivially obtained.

        /usr/lib/print/netprint -n blah -h blah -p blah 1-234

    and whatever program  named disable is  first in the  PATH will be
    executed as lp.

    However,  one  can  go  further  if  BSD  printing  subsystem   is
    installed.   /usr/spool/lpd is  owned by  lp, and  it's the  place
    where  lpd  writes  lock  file.   lpd  is  also root/suid.  So one
    replaces  /usr/spool/lpd/lpd.lock  with  a  symlink to /etc/passwd
    and  runs  lpd,  passwd  gets  nuked.   Then  one repeats netprint
    trick, and,  voila, disable  now runs  as root,  because lp is not
    found in passwd.  Credit for this goes to Yuri Volobuev.

SOLUTION

    Although patches are available for this issue, it is realized that
    there may be situations  where installing the patches  immediately
    may not be possible.  The patch is number 1685/86.

    As  part  of  on  going  security  efforts,  Silicon  Graphics has
    replaced patch 1686 (IRIX 6.2) with patch 2022.  The original text
    from  SGI  Security  Advisory  19961203-01-PX  has been updated to
    reflect this change.