Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: HP/UX :: hpux4934.htm

rlpdaemon illicit file writes
18th Dec 2001 [SBWID-4934]

	rlpdaemon illicit file writes


	10.20 and 11.00 are affected


	G.Borglum reported following :

	/usr/sbin/rlpdaemon in HP-UX is setuid root. Switches include \"-l\"  to
	enable logging and \"-L /some/thing\" to select  a  logfile  other  than
	the default. When run by a non-root user it can create/append a  logfile
	owned by root. With a little care (and a copy of RFC1179) a  local  user
	can supply data to add to files he chooses and  thereby  get  root.  The
	victim doesn\'t actually need to have any printers configured.




	As    a    non-root    user     run     \"rlpdaemon     -i     -l     -L
	/existing_directory/new_file\". If the logfile created is owned by  root
	you have the bug. Patched systems quit silently if \"-i\"  is  used  and
	print \" Unable to open/create logfile\" if \"-l -L\" is used.



	HP\'s alert \"Sec. Vulnerability  in  rlpdaemon\"  (HPSBUX0111-176)  was
	released   2001-11-20   and   describes   this   as   a   \"logic   flaw
	vulnerability\". Because the patches  fix  more  than  one  problem  you
	should  definitely  aim  to  have  them  installed  unless  you   remove

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH