Re: Solaris/SPARC 2.7 lpset exploit (well not likely !)

[Casper.Dik () HOLLAND SUN COM (Casper Dik)]

> lpset seems to use strcat() to pass the argument for -r flag
> ( /usr/lib/print/lib/../../../../tmp/foo) and appends .so to the end.
> in this case /tmp/foo.so is going to be dlopen
> but there is a special case /usr/lib/print/lib directory has to exist.
> xploit shell script is attached.

Is there any case in which the directory is created on a standard system?

Also, the code that has this bug (henceforth known as Sun bug #4334568)
was removed in Solaris 8.

Casper