Pathetic hole in HP/UX 10.20 CUE

Description:the cue (character-based User Environment) program that ships with HP/UX 10.20 uses $LOGNAME to verify who the user is!@#$@#!$ and it has an exploitable symlink problem
Author:Leonid S Knyshov <wiseleo@JUNO.COM>
Compromise: root (local)
Vulnerable Systems:HP-UX 10.20, probably others
Date:1 September 1997

Date: Mon, 1 Sep 1997 15:07:58 -0700
From: Leonid S Knyshov <wiseleo@JUNO.COM>
Subject: HP UX Bug :)

Hi everyone :)

We all know that HP-UX is insecure (out of the box), right? Here is some

We are talking about HP-UX 10.20

One night I had nothing better to do, so I logged on to my college to
play with the computers...

I was surprised to see in MOTD that we are upgraded to Hp-UX 10.20

So I decided to check for suid binaries...

Sure enough I found a ton of them (more than 50 I belive)

One of the programs that attracted my attention was cue (Hewlett Packard
Character-based User Environment)

As it was possible to make it a login program, I decided to investigate

$ export LOGNAME=root
$ cue
Welcome root

That was encouraging, of course it gave up the suid priviledges when I
got the shell, but a different problem exists...
Since it was mislead by $LOGNAME (big oops in login programs :), it
detected that I am in fact not root... BUT

When I did ls -la, among others I found this:

-rw------- root mygroup 0 IOERROR.mytty

So, it also follows my umask...

$ umask 000
$ cue
-rw-rw-rw- root mygroup  0 IOERROR.mytty

I decided to check whether or not it will follow symlinks, so I created a
symlink  to /lost+found/test (unwriteable by anyone)

$ cue
$ ls -la /lost+found
-rw-rw-rw- root mygroup 0 test

So, it also follows symlinks...

However, it wipes out the target file. A symlink to /etc/passwd comes to

But, since it follows the umask, it might be possible to replace binaries
executed by system...

In any event, a very dangerous condition...

I do not have the access to source code, so I can't think of a patch.
Probably replace getenv with getuid or something like that.

So the recommendation would be to remove the program's suid bit, as

Aleph: if this is an old bug, do not clutter the list ;-)
Leonid Knyshov AKA Wise_One <>
For file attachments please use and send a note about
it here :)

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]