Pico symlink vulnerability

Date: Mon, 1 Sep 1997 15:07:58 -0700
From: Leonid S Knyshov <wiseleo@JUNO.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: HP UX Bug :)

Hi everyone :)

We all know that HP-UX is insecure (out of the box), right? Here is some
proof.

We are talking about HP-UX 10.20

One night I had nothing better to do, so I logged on to my college to
play with the computers...

I was surprised to see in MOTD that we are upgraded to Hp-UX 10.20

So I decided to check for suid binaries...

Sure enough I found a ton of them (more than 50 I belive)

One of the programs that attracted my attention was cue (Hewlett Packard
Character-based User Environment)

As it was possible to make it a login program, I decided to investigate
further...

$ export LOGNAME=root
$ cue
Welcome root

That was encouraging, of course it gave up the suid priviledges when I
got the shell, but a different problem exists...
Since it was mislead by $LOGNAME (big oops in login programs :), it
detected that I am in fact not root... BUT

When I did ls -la, among others I found this:

-rw------- root mygroup 0 IOERROR.mytty

So, it also follows my umask...

$ umask 000
$ cue
-rw-rw-rw- root mygroup  0 IOERROR.mytty

I decided to check whether or not it will follow symlinks, so I created a
symlink  to /lost+found/test (unwriteable by anyone)

$ cue
$ ls -la /lost+found
-rw-rw-rw- root mygroup 0 test

So, it also follows symlinks...

However, it wipes out the target file. A symlink to /etc/passwd comes to
mind.

But, since it follows the umask, it might be possible to replace binaries
executed by system...

In any event, a very dangerous condition...

I do not have the access to source code, so I can't think of a patch.
Probably replace getenv with getuid or something like that.

So the recommendation would be to remove the program's suid bit, as
usual.

Aleph: if this is an old bug, do not clutter the list ;-)
***
Leonid Knyshov AKA Wise_One <wiseleo@juno.com>
For file attachments please use wiseleo@hotmail.com and send a note about
it here :)