Exploit world!

HP/UX Section

Compiled by Fyodor fyodor@insecure.org
on Thu Jan 13 21:41:31 UTC 2000

[Back] to Fyodor's Playhouse


Xaw and Xterm vulnerabilities
Description:There are a number of vulnerabilities in X11R6 xterm(1) and Xaw(3c) libraries. They are mostly all overflows
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> and the exploit was written by alcuin
Compromise: root (local)
Vulnerable Systems:Those running Xterm or X apps linked to vulnerable Xaw. Virtually all versions of X are vulnerable to the *Keymap hole and the others are mostly X11R6 specific (which virtually everyone uses anyway). Thus it is likely that many Solaris, Linux, HP/UX, and perhaps IRIX and AIX boxes are vulnerable.
Date:4 May 1998
Notes:I have also included an exploit sent to me by "M.C.Mar" <emsi@it.com.pl>. This exploit works against Xaw and neXtaw even WITH Solar Designer's non-executable stack patch applied. Check it out!
Exploit & full info:Available here


Overflow in kppp -c option
Description:Standard overflow
Author:"|[TDP]|" <tdp@psynet.net>
Compromise: root (local)
Vulnerable Systems:Those running kppp version < 1.1.3 suid root. This comes with the KDE system (which is pretty neat -- www.kde.org) and runs on Solaris, Linux, IRIX, and HP/UX
Date:29 April 1998
Notes:The hole was fixed a while prior to this posting so the (then) current version was not vulnerable.
Exploit & full info:Available here


Yet ANOTHER hole in the HP/UX Glance program
Description:Standard symlink-following TMPFILE stupidity
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise: root (local)
Vulnerable Systems:HP/UX 10.20, perhaps other versions.
Date:27 April 1998
Exploit & full info:Available here


Nestea "Off By One" attack
Description:A popular attack against Linux boxes
Author:John McDonald <jmcdonal@UNF.EDU>
Compromise:Stupid remote DOS attack
Vulnerable Systems:Linux 2.0.33 and earlier, PalmOS, HP Jet Direct printer cards, some 3COM routers, Magnum 5000 Ethernet switch, Some Windows boxes, perhaps others
Date:17 April 1998
Notes:I have appended the original Linux code, a BSD port, an improved Linux version, and a few other messages on the topic.
Exploit & full info:Available here


ftp mget vulnerability
Description:If the nlist caused by a mget returns a file like /etc/passwd , most ftp clients seem to (try to) overwrite/create it without signaling anything wrong. You can also use files with names like "|sh" to execute arbitrary commands.
Author:I don't recall who found it first, in the appended post af@c4c.com gives an example of the bug using Linus slackware
Compromise:ftp servers can compromise clients who use mget to d/l files
Vulnerable Systems:ftp clients on Linux, AIX, HP/UX, Solaris 2.6, and probably many other systems
Date:3 November 1997 was when this example was posted (the bug was found a while back)
Exploit & full info:Available here


HP/UX newgroup hole
Description:Standard buffer overflow
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable newgroup,HP 9000 Series 700/800s running versions of HP-UX 9.X & 10.X
Date:25 September 1997
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


ARP and ICMP redirection games
Description:This excellent article/code from Yuri points out a number of (mostly known) problems with the ARP and ICMP protocols/implementations
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:spoof as a trusted host, redirect trafic through your host, DoS
Vulnerable Systems:Many versions of Linux, numerous hubs/routers. AFAIK, IRIX, HP-UX, *BSD, and probably Windoze can be spoofed with gratuitous ARP
Date:19 September 1997
Exploit & full info:Available here


Pathetic hole in HP/UX 10.20 CUE
Description:the cue (character-based User Environment) program that ships with HP/UX 10.20 uses $LOGNAME to verify who the user is!@#$@#!$ and it has an exploitable symlink problem
Author:Leonid S Knyshov <wiseleo@JUNO.COM>
Compromise: root (local)
Vulnerable Systems:HP-UX 10.20, probably others
Date:1 September 1997
Exploit & full info:Available here


HP/UX 10.X /var/tmp/outdata symlink hole
Description:Typical symlink problem
Author:David Hyams <nhyamd@ASCOM.CH>
Compromise:Wipe SAM data to arbitrary files, I don't know what happens with existing files. If you can clobber existing files, you can obviously become root.
Vulnerable Systems:HP/UX 10.X
Date:14 May 1997
Exploit & full info:Available here


HP/UX chfn bug
Description:Standard buffer overflow
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable chfn (probably 9.x, 10.x)
Date:December 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


More SOD HP/UX RemWatch vulnerabilities
Description:A number of internal HP/UX RemWatch binaries, including checkcore, rwiDCOM, and showdisk are vulnerabile. Several exploits included
Author:SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable RemWatch binaries, probably 9.x, 10.x
Date:6 November 1996 and earlier
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


SOD HP/UX /tmp/fpkg2swpk bug
Description:Standard buffer overflow
Author:Dog Catcher
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable fpkg2swpk, probably just 10.x
Date:November 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


SOD /usr/diag/bin/[cm]stm buffer overflow
Description:Standard buffer overflow
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable [cm]stm, probably 9.x 10.x
Date:November 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


(Another) SOD HP/UX RemoteWatch hole
Description:pathetic daemon
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root or whatever remwatch runs as (remote!)
Vulnerable Systems:HP/UX with vulnerable Remote Watch running, probably 9.x, maybe 10.x
Date:November 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


Another hpux ppl bug by SOD
Description:standard symlink/core vulnerability
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable ppl, probably 9.x 10.x
Date:15 October 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


swinstall symlink exploit
Description:Standard symlink hole
Author:"Salty"
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable swinstall, mostly 10.x, some 9.x
Date:6 October 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


HP/UX SOD glance bug
Description:symlink bug due to poor error file creation
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable /usr/perf/bin/glance , probably just 9.x
Date:October 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


HP/UX ppl symlink problem
Description:ppl insecurely creates log files in world writeable directory, I'm sure you can see where this is headed.
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable ppl, 9.x 10.x
Date:October 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


Race condition exploit for HP/UX SAM
Description:standard /tmp symlink race condition with HP/UX SAM
Author:John W. Jacobi (jjacobi@nova.umuc.edu)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable SAM, at least HP-UX 9.04 & 9.05 on 9000/700 & 9000/800
Date:25 September 1996
Notes:for more HP bugs see the SOD HP Bug of the Week page
Exploit & full info:Available here


HP/UX Rdist exploit
Description:SOD HP/UX rdist exploit
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable rdist, probably 9.x 10.x
Date:10 August 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


HP/UX Remote Watch hole
Description:Standard /tmp symlink exploit
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable , probably 9.x 10.x
Date:June 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


xrw bug
Description:shelling from a xrw telnet session cedes EUID 0
Author:Ess Jay
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable xrw, probably 9.x 10.x
Date:23 May 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


HP/UX sam_exec user vulnerability
Description:In a particularly dumb move, HP/UX's remote administration program, SAM, adds a user 'sam_exec' with UID 0 and a standard password.
Author:bogus technician (bogus@command.com.inter.net) (apparently it is SOD again) was the first to find the 10.x password.
Compromise: root (local)
Vulnerable Systems:HP/UX 9.x,10.x where SAM has been used
Date:1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


xwcreate/destroy vulnerability
Description:xwcreate and xwdestroy let you delete any file on system!
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:delete any file on system, this can lead to root if you take out /etc/passwd, but BE CAREFUL! (local)
Vulnerable Systems:HP/UX with vulnerable xwcreate/xwdestroy 9.x and possibly 10.x
Date:Unknown
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


Old HPUX subnetconfig vulnerability
Description:trojan in path vulnerability in subnetconfig
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable netconfig, possibly just 9.0
Date:OLD
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here


More HP/UX glance vulnerabilities
Description:A couple more old glance vulnerabilities
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable glance, maybe 9.x or 10.x
Date:Unknown
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here



This page Copyright © Fyodor 1996, 1997, 1998
[Back] to Fyodor's Exploit World main index

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]