Solaris LpNet temp file Vulnerability

Solaris LpNet temp file Vulnerability

Remote printing to the local spool causes a temp file to be created mode 666 owned by lp in /var/tmp. This can be used in conjunction with /var/lp/logs/lpsched, which is another temp file created mode 666 owned by root, to break root by first symlinking to /usr/spool/lp/.rhosts, becoming lp, symlinking to /.rhosts and, as lp, using /usr/sbin/lpshut to cause /.rhosts to be created mode 666 owned by root.