HP-UX setuid rlpdaemon induced to make illicit file writes

From: G.Borglum (borglum@nym.alias.net)
Date: 12/15/01 

Date: 15 Dec 2001 04:48:47 -0000
From: G.Borglum <borglum@nym.alias.net>
To: bugtraq@securityfocus.com
To: listadmin@securityfocus.com

 (This may have gone AWOL before. If there was a reason for the
  moderator dropping it I'd be interested to know. G.B.)

THE PROBLEM
/usr/sbin/rlpdaemon in HP-UX is setuid root. Switches include "-l" to
enable logging and "-L /some/thing" to select a logfile other than the
default. When run by a non-root user it can create/append a logfile owned
by root. With a little care (and a copy of RFC1179) a local user can supply
data to add to files he chooses and thereby get root. The victim doesn't
actually need to have any printers configured.

THE TEST
10.20 and 11.00 are affected - maybe all versions before November 2001.
As a non-root user run "rlpdaemon -i -l -L /existing_directory/new_file".
If the logfile created is owned by root you have the bug. Patched systems
quit silently if "-i" is used and print " Unable to open/create logfile"
if "-l -L" is used.

THE FIX
HP's alert "Sec. Vulnerability in rlpdaemon" (HPSBUX0111-176) was released
2001-11-20 and describes this as a "logic flaw vulnerability". Because
the patches fix more than one problem you should definitely aim to have
them installed unless you remove rlpdaemon.

THE HISTORY
This was reported (with exploit) to security-alert@hp.com on 2001-08-08.

THE GREETZ
Mark, Mark, Mark, Lance, Huge, Clarkie

THE GRUMBLES
advisories not containing clear TEST and FIX sections

THE AUTHOR
http://brinkie.xs4all.nl/~robert/originals/dcp01012.jpg
far left in this shot from the collection at http://www.hal2001.org

Relevant Pages

  • Re: MissingMethodException error - Please help
    ... I use a general routine called LoadFile to ... I am logging statements to a logfile ... > sending it everywhere until I have a fix for this issue. ... > 300 Oakland-Flatrock Road ...
    (microsoft.public.pocketpc.developer)
  • Re: k3b permissions problems in SuSE9.2 pro
    ... >>1) CD record does not run with root privileges ... >>It says to run K3bSetup to fix the problems. ... that's not the first time these kinds of user permission ...
    (alt.os.linux.suse)
  • [UNIX] HP-UX Setuid RLPDaemon Illicit File Writes
    ... When run by a non-root user it can create/append a logfile owned ... supply data to add to files he chooses and thereby get root. ... HP's alert "Sec. Vulnerability in rlpdaemon" was released ...
    (Securiteam)
  • Re: Dug myself into several deep holes
    ... > Over several months I have tried to fix sound, mail, X ... as root, force yourself to use sudo for things, and ask yourself three times ... learn to make backups of your system. ... Hardware/disk failure is ...
    (Debian-User)
  • Re: I messed up some config files, now all my users have lost sudo priv :(
    ... way I can fix it until I get to work and reboot in recovery mode. ... because the server is an essential web and svn server for the company - ... The first thing you have to do is to become root. ... The only stupid question is the one you don't ask ...
    (Ubuntu)
Quantcast