Security problems on SCO's lp subsystem

[paganini () paganini net (Marco Paganini)]

-----BEGIN PGP SIGNED MESSAGE-----

Hello!

While casually looking for SETUID binaries in a newly installed
SCO 5.0.2 box, I have discovered that normal users with lp access
(the default) may cause headaches to the system administrador.

Details:

System: SCO 5.0.2 Enterprise (5.0.4 too?)
        Plain Vanilla Intel Server

OK. We are all clean.

Exploit 1)

Normal users can remove text files under /tmp. The lp command won't even
try to "print" (and remove afterwards) binary or executable programs.
There may be a way around this, but I haven't tried to find it.

$ lp -R /tmp/text_file_to_be_removed

The switch -R causes the removal of the file, after printing.

This exploit won't work in dirs that don't have the sticky bit set.

Exploit 2)

This is even better, but only works if your lp subsystem has a file named
/var/spool/lpd/lock. With this file in place, the lp command will enable
the "-L live" option. With this, you can write to *any* file in the system.
And even better, the file will be mode 600, owned by root...

Just do:
$ lp -L live=/any_file_in_the_system
blablabla
^D

And that's it. You can type anything you want/need.

I'd like to know if these problems are still valid on 5.0.4. I couldn't
find any mention of this problem on the SCO site. Older versions of SCO
may exhibit this problem, since many of these have /usr/bin/lp setuid to
root.

Regards
Paganini

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3in
Charset: latin1

iQCVAwUBNYlHbc6C8KwDKBjZAQEVPAP+K6B07p/0XRBHqrOLqq3vUsf/vRmuDZnr
3xguLKKoI2uFQlgQKp0Za2K9B9kB0eVNml0fsevN1YuaAmDVrclG2l/tDc/OZg9r
PuKzoUZTy1FMA0NNE5e+/cVxrCSBjO7UpxSSozWQZTUD9DbnLEqhj7NXYTSTCNb/
S/yptRYXBaQ=
=ItpN
-----END PGP SIGNATURE-----

--
Marco Paganini          | UNIX / Networking consultant
paganini () paganini net   | PGP: http://www.paganini.net/pgpkey.txt (RSA)
http://www.paganini.net | Fingerprint: 8734555AEDCF04D3A2E3A98A34E253D9