Pathetic hole in HP/UX 10.20 CUE
|Description:||the cue (character-based User Environment) program that ships with HP/UX 10.20 uses $LOGNAME to verify who the user is!@#$@#!$ and it has an exploitable symlink problem|
|Author:||Leonid S Knyshov <wiseleo@JUNO.COM>|
|Compromise:|| root (local)|
|Vulnerable Systems:||HP-UX 10.20, probably others |
|Date:||1 September 1997 |
Date: Mon, 1 Sep 1997 15:07:58 -0700
From: Leonid S Knyshov <wiseleo@JUNO.COM>
Subject: HP UX Bug :)
Hi everyone :)
We all know that HP-UX is insecure (out of the box), right? Here is some
We are talking about HP-UX 10.20
One night I had nothing better to do, so I logged on to my college to
play with the computers...
I was surprised to see in MOTD that we are upgraded to Hp-UX 10.20
So I decided to check for suid binaries...
Sure enough I found a ton of them (more than 50 I belive)
One of the programs that attracted my attention was cue (Hewlett Packard
Character-based User Environment)
As it was possible to make it a login program, I decided to investigate
$ export LOGNAME=root
That was encouraging, of course it gave up the suid priviledges when I
got the shell, but a different problem exists...
Since it was mislead by $LOGNAME (big oops in login programs :), it
detected that I am in fact not root... BUT
When I did ls -la, among others I found this:
-rw------- root mygroup 0 IOERROR.mytty
So, it also follows my umask...
$ umask 000
-rw-rw-rw- root mygroup 0 IOERROR.mytty
I decided to check whether or not it will follow symlinks, so I created a
symlink to /lost+found/test (unwriteable by anyone)
$ ls -la /lost+found
-rw-rw-rw- root mygroup 0 test
So, it also follows symlinks...
However, it wipes out the target file. A symlink to /etc/passwd comes to
But, since it follows the umask, it might be possible to replace binaries
executed by system...
In any event, a very dangerous condition...
I do not have the access to source code, so I can't think of a patch.
Probably replace getenv with getuid or something like that.
So the recommendation would be to remove the program's suid bit, as
Aleph: if this is an old bug, do not clutter the list ;-)
Leonid Knyshov AKA Wise_One <email@example.com>
For file attachments please use firstname.lastname@example.org and send a note about
it here :)
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: