HP-UX setuid rlpdaemon induced to make illicit file writes

2001-12-17T00:00:00
ID SECURITYVULNS:DOC:2275
Type securityvulns
Reporter Securityvulns
Modified 2001-12-17T00:00:00

Description

(This may have gone AWOL before. If there was a reason for the moderator dropping it I'd be interested to know. G.B.)

THE PROBLEM /usr/sbin/rlpdaemon in HP-UX is setuid root. Switches include "-l" to enable logging and "-L /some/thing" to select a logfile other than the default. When run by a non-root user it can create/append a logfile owned by root. With a little care (and a copy of RFC1179) a local user can supply data to add to files he chooses and thereby get root. The victim doesn't actually need to have any printers configured.

THE TEST 10.20 and 11.00 are affected - maybe all versions before November 2001. As a non-root user run "rlpdaemon -i -l -L /existing_directory/new_file". If the logfile created is owned by root you have the bug. Patched systems quit silently if "-i" is used and print " Unable to open/create logfile" if "-l -L" is used.

THE FIX HP's alert "Sec. Vulnerability in rlpdaemon" (HPSBUX0111-176) was released 2001-11-20 and describes this as a "logic flaw vulnerability". Because the patches fix more than one problem you should definitely aim to have them installed unless you remove rlpdaemon.

THE HISTORY This was reported (with exploit) to security-alert@hp.com on 2001-08-08.

THE GREETZ Mark, Mark, Mark, Lance, Huge, Clarkie

THE GRUMBLES advisories not containing clear TEST and FIX sections

THE AUTHOR http://brinkie.xs4all.nl/~robert/originals/dcp01012.jpg far left in this shot from the collection at http://www.hal2001.org