Vulnerability in NeXT 1.0a and 1.0 with publicly accessible printers allows local users to gain privileges via a combination of the npd program and weak directory permissions.
NeXTSTEP systems running NeXT 1.0a and 1.0 are vulnerable to a local privilege escalation due to insecure printer configuration. Attackers can leverage the npd program and weak directory permissions to gain root access, potentially compromising the entire system and leading to data breaches or system outages.
Step 1: Identify Vulnerable System: The attacker identifies a NeXTSTEP system running NeXT 1.0a or 1.0 with publicly accessible printers.
Step 2: Directory Enumeration: The attacker identifies directories used by npd for print spooling or temporary files. This is achieved through system enumeration, potentially by examining the print configuration files or by observing the behavior of the npd process.
Step 3: Permission Analysis: The attacker analyzes the permissions on the identified directories. The vulnerability exists if these directories have weak permissions, allowing the attacker to write to them.
Step 4: Malicious File Creation: The attacker crafts a malicious file, such as a PostScript file containing a system command or a shell script. This file is designed to be executed by npd.
Step 5: File Placement: The attacker places the malicious file in a directory accessible to npd, often by submitting a print job that uses the malicious file as input or by directly writing the malicious file to the spool directory.
Step 6: Trigger Execution: The attacker triggers the execution of the malicious file. This is typically done by submitting a print job, which causes npd to process the attacker's file.
Step 7: Privilege Escalation: The npd process, running with elevated privileges, executes the attacker's malicious code, granting the attacker root access or other elevated privileges.
The vulnerability stems from a combination of factors. The npd (NeXT Print Daemon) program, responsible for managing print jobs, likely runs with elevated privileges. Weak directory permissions, specifically on directories used by npd for spooling or temporary files, allow attackers to manipulate files and inject malicious code. The root cause is a privilege escalation flaw where an unprivileged user can write to a location where a privileged process (npd) will later execute the attacker's code. This is not a buffer overflow or memory corruption vulnerability, but rather a file system manipulation issue leading to code execution with higher privileges.