>lpset seems to use strcat() to pass the argument for -r flag > ( /usr/lib/print/lib/../../../../tmp/foo) and appends .so to the end. >in this case /tmp/foo.so is going to be dlopen >but there is a special case /usr/lib/print/lib directory has to exist. >xploit shell script is attached. Is there any case in which the directory is created on a standard system? Also, the code that has this bug (henceforth known as Sun bug #4334568) was removed in Solaris 8. Casper
- Solaris/SPARC 2.7 lpset exploit (well not likely !) noir
- Casper Dik
