HP/UX 10.X /var/tmp/outdata symlink hole
| Description: | Typical symlink problem |
| Author: | David Hyams <nhyamd@ASCOM.CH> |
| Compromise: | Wipe SAM data to arbitrary files, I don't know what happens with existing files. If you can clobber existing files, you can obviously become root. |
| Vulnerable Systems: | HP/UX 10.X |
| Date: | 14 May 1997 |
Date: Wed, 14 May 1997 13:52:34 +0200
From: David Hyams <nhyamd@ASCOM.CH>
To: BUGTRAQ@NETSPACE.ORG
Subject: potential root exploit with help from sam (HP-UX 10.x)
While looking in the /var/tmp directory I noticed a file called "outdata".
After some experiments, I discovered that this file is written to by sam
when the user selects "Networking and Communication" followed by
"Internet Addresses" or "Network Information Service" (and probably others
too).
So, if I make a symbolic link from /var/tmp/outdata to
/.rhosts (say), and wait for the sys-admin to run sam to configure
networking, I can get a /.rhosts file. Admittedly this isn't too
interesting as the file doesn't have the famous "+ +" in it. However,
if your sysadmin happens to have umask set to 0 then you've now got a
world writable /.rhosts file. (This isn't as unusual as it sounds, try an
rlogin to a remote host running HP-UX and check your umask. Chances are
it's 00).
No doubt other bugtraq readers can turn this into a more serious root
exploit - maybe it's possible to get sam to put a "+ +" in /.rhosts .
Or maybe someone can think of some other symbolic links to try.
David Hyams
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
