HP-UX Aserver /tmp/null Symbolic Link Vulnerability
BID:1928
Info
HP-UX Aserver /tmp/null Symbolic Link Vulnerability
| Bugtraq ID: | 1928 |
| Class: | Origin Validation Error |
| CVE: |
CVE-2000-0005 |
| Remote: | No |
| Local: | Yes |
| Published: | Jan 02 2000 12:00AM |
| Updated: | Jul 11 2009 03:56AM |
| Credit: | First posted to Bugtraq by Justin Tripp < [email protected]> on Jan 02, 2000. |
| Vulnerable: |
HP HP-UX (VVOS) 10.24 HP HP-UX 11.0 4 HP HP-UX 11.0 HP HP-UX 10.34 HP HP-UX 10.30 HP HP-UX 10.20 HP HP-UX 10.16 HP HP-UX 10.10 HP HP-UX 10.9 HP HP-UX 10.8 HP HP-UX 10.0 |
| Not Vulnerable: | |
Discussion
HP-UX Aserver /tmp/null Symbolic Link Vulnerability
Aserver is a server program that ships with HP-UX versions 10.x and above that is used to interface client applications with the audio hardware. Because it talks to hardware, it is installed setuid root by default.
During normal execution, Aserver uses a temporary file in /tmp called "null". Aserver does not check to see whether this file already exists or not when writing to it. If a malicious local user creates a symbolic link in /tmp called 'null', Aserver will overwrite whatever is pointed to when run. Since this is done as root, any file on the filesystem can be written to.
The data written is the output of "ps -e", which may lead to an elevation of privileges of the attacker can somehow get the right data out of this command into the right file (eg, "\n+ +\n" in /.rhosts). This may also lead to a denial of service if critial files, such as /etc/passwd, are overwritten.
Aserver is a server program that ships with HP-UX versions 10.x and above that is used to interface client applications with the audio hardware. Because it talks to hardware, it is installed setuid root by default.
During normal execution, Aserver uses a temporary file in /tmp called "null". Aserver does not check to see whether this file already exists or not when writing to it. If a malicious local user creates a symbolic link in /tmp called 'null', Aserver will overwrite whatever is pointed to when run. Since this is done as root, any file on the filesystem can be written to.
The data written is the output of "ps -e", which may lead to an elevation of privileges of the attacker can somehow get the right data out of this command into the right file (eg, "\n+ +\n" in /.rhosts). This may also lead to a denial of service if critial files, such as /etc/passwd, are overwritten.
Exploit / POC
HP-UX Aserver /tmp/null Symbolic Link Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
HP-UX Aserver /tmp/null Symbolic Link Vulnerability
HP HP-UX 11.0
HP HP-UX 11.0 4
HP HP-UX 11.0
-
HP PHSS_21663
-
HP PHSS_22062
http://ovweb.external.hp.com/cpe/patches/ -
HP PHSS_27192
http://itrc.hp.com
HP HP-UX 11.0 4