HPUX net.init RC Script Vulnerability
BID:1602
Info
HPUX net.init RC Script Vulnerability
| Bugtraq ID: | 1602 |
| Class: | Race Condition Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Aug 22 2000 12:00AM |
| Updated: | Aug 22 2000 12:00AM |
| Credit: | This vulnerability was posted to the Bugtraq mailing list on August 22, 2000 by Kyong-won Cho <[email protected]> |
| Vulnerable: |
HP HP-UX 11.0 |
| Not Vulnerable: | |
Discussion
HPUX net.init RC Script Vulnerability
A vulnerability exists in HP-UX, from Hewlett Packard, under certain configurations. Version 11.0 is confirmed to have this problem; other versions may also be susceptible. If the CLEAR_TMP option in /etc/rc.config.d is set to 1, meaning enabled, it is possible for a local user to create a symbolic link in /tmp that will be followed prior to being removed. This will allow the local user to overwrite any file upon reboot.
The /sbin/rc2.d/S008net.init file, and /sbin/rc2.d/S204clean_tmps file are run upon reboot. The net.init is run first. (Lower number S scripts are run first). In the net.init file, a temporary file, /tmp/stcp.conf, is use. This file is blindly written to, and is removed by the clean_tmps script. A local user can simply create this file as a symbolic link to any file, and cause the net.init script to overwrite its contents upon reboot.
A vulnerability exists in HP-UX, from Hewlett Packard, under certain configurations. Version 11.0 is confirmed to have this problem; other versions may also be susceptible. If the CLEAR_TMP option in /etc/rc.config.d is set to 1, meaning enabled, it is possible for a local user to create a symbolic link in /tmp that will be followed prior to being removed. This will allow the local user to overwrite any file upon reboot.
The /sbin/rc2.d/S008net.init file, and /sbin/rc2.d/S204clean_tmps file are run upon reboot. The net.init is run first. (Lower number S scripts are run first). In the net.init file, a temporary file, /tmp/stcp.conf, is use. This file is blindly written to, and is removed by the clean_tmps script. A local user can simply create this file as a symbolic link to any file, and cause the net.init script to overwrite its contents upon reboot.
Exploit / POC
HPUX net.init RC Script Vulnerability
ln -sf /VULNERABLE /tmp/stcp.conf
and reboot.
ln -sf /VULNERABLE /tmp/stcp.conf
and reboot.