HP-UX man /tmp symlink Vulnerability
BID:1302
Info
HP-UX man /tmp symlink Vulnerability
| Bugtraq ID: | 1302 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Jun 02 2000 12:00AM |
| Updated: | Jun 02 2000 12:00AM |
| Credit: | Posted to BugTraq on June 2, 2000 by Jason Axley <[email protected]> |
| Vulnerable: |
HP HP-UX 11.0 HP HP-UX 10.20 |
| Not Vulnerable: | |
Exploit / POC
HP-UX man /tmp symlink Vulnerability
Create ~65535 catXXXX or manXXXX symlinks in /tmp, pointing to the file you want to overwrite (e.g. /etc/passwd). Then wait. When root runs man, the file will be blindly overwritten with the formatted manpage contents (cat????) or unformatted (man????) are written to the symlinked file.
Create ~65535 catXXXX or manXXXX symlinks in /tmp, pointing to the file you want to overwrite (e.g. /etc/passwd). Then wait. When root runs man, the file will be blindly overwritten with the formatted manpage contents (cat????) or unformatted (man????) are written to the symlinked file.
Solution / Fix
HP-UX man /tmp symlink Vulnerability
Solution:
You could create root-owned catXXXX and manXXXX files in /tmp AFTER chmod'ing /tmp to 1777 to keep attackers from making the symlinks.
Solution:
You could create root-owned catXXXX and manXXXX files in /tmp AFTER chmod'ing /tmp to 1777 to keep attackers from making the symlinks.
References
HP-UX man /tmp symlink Vulnerability
References:
References: