COMMAND

	rlpdaemon illicit file writes

SYSTEMS AFFECTED

	10.20 and 11.00 are affected

PROBLEM

	G.Borglum reported following :
	

	/usr/sbin/rlpdaemon in HP-UX is setuid root. Switches include \"-l\"  to
	enable logging and \"-L /some/thing\" to select  a  logfile  other  than
	the default. When run by a non-root user it can create/append a  logfile
	owned by root. With a little care (and a copy of RFC1179) a  local  user
	can supply data to add to files he chooses and  thereby  get  root.  The
	victim doesn\'t actually need to have any printers configured.
	

	 Test

	 ====

	

	As    a    non-root    user     run     \"rlpdaemon     -i     -l     -L
	/existing_directory/new_file\". If the logfile created is owned by  root
	you have the bug. Patched systems quit silently if \"-i\"  is  used  and
	print \" Unable to open/create logfile\" if \"-l -L\" is used.
	

	

SOLUTION

	HP\'s alert \"Sec. Vulnerability  in  rlpdaemon\"  (HPSBUX0111-176)  was
	released   2001-11-20   and   describes   this   as   a   \"logic   flaw
	vulnerability\". Because the patches  fix  more  than  one  problem  you
	should  definitely  aim  to  have  them  installed  unless  you   remove
	rlpdaemon.