HP/UX 10.X /var/tmp/outdata symlink hole

Description:Typical symlink problem
Author:David Hyams <nhyamd@ASCOM.CH>
Compromise:Wipe SAM data to arbitrary files, I don't know what happens with existing files. If you can clobber existing files, you can obviously become root.
Vulnerable Systems:HP/UX 10.X
Date:14 May 1997

Date: Wed, 14 May 1997 13:52:34 +0200
From: David Hyams <nhyamd@ASCOM.CH>
Subject: potential root exploit with help from sam (HP-UX 10.x)

While looking in the /var/tmp directory I noticed a file called "outdata".
After some experiments, I discovered that this file is written to by sam
when the user selects "Networking and Communication" followed by
"Internet Addresses" or "Network Information Service" (and probably others

So, if I make a symbolic link from /var/tmp/outdata to
/.rhosts (say), and wait for the sys-admin to run sam to configure
networking, I can get a /.rhosts file. Admittedly this isn't too
interesting as the file doesn't have the famous "+ +" in it. However,
if your sysadmin happens to have umask set to 0 then you've now got a
world writable /.rhosts file. (This isn't as unusual as it sounds, try an
rlogin to a remote host running HP-UX and check your umask. Chances are
it's 00).

No doubt other bugtraq readers can turn this into a more serious root
exploit - maybe it's possible to get sam to put a "+ +" in /.rhosts .
Or maybe someone can think of some other symbolic links to try.

David Hyams

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]