Bugtraq mailing list archives
HP UX Bug :)
From: wiseleo () JUNO COM (Leonid S Knyshov)
Date: Mon, 1 Sep 1997 15:07:58 -0700
Hi everyone :) We all know that HP-UX is insecure (out of the box), right? Here is some proof. We are talking about HP-UX 10.20 One night I had nothing better to do, so I logged on to my college to play with the computers... I was surprised to see in MOTD that we are upgraded to Hp-UX 10.20 So I decided to check for suid binaries... Sure enough I found a ton of them (more than 50 I belive) One of the programs that attracted my attention was cue (Hewlett Packard Character-based User Environment) As it was possible to make it a login program, I decided to investigate further... $ export LOGNAME=root $ cue Welcome root That was encouraging, of course it gave up the suid priviledges when I got the shell, but a different problem exists... Since it was mislead by $LOGNAME (big oops in login programs :), it detected that I am in fact not root... BUT When I did ls -la, among others I found this: -rw------- root mygroup 0 IOERROR.mytty So, it also follows my umask... $ umask 000 $ cue -rw-rw-rw- root mygroup 0 IOERROR.mytty I decided to check whether or not it will follow symlinks, so I created a symlink to /lost+found/test (unwriteable by anyone) $ cue $ ls -la /lost+found -rw-rw-rw- root mygroup 0 test So, it also follows symlinks... However, it wipes out the target file. A symlink to /etc/passwd comes to mind. But, since it follows the umask, it might be possible to replace binaries executed by system... In any event, a very dangerous condition... I do not have the access to source code, so I can't think of a patch. Probably replace getenv with getuid or something like that. So the recommendation would be to remove the program's suid bit, as usual. Aleph: if this is an old bug, do not clutter the list ;-) *** Leonid Knyshov AKA Wise_One <wiseleo () juno com> For file attachments please use wiseleo () hotmail com and send a note about it here :)
Current thread:
- Pine's re-occuring nightmare jericho () DIMENSIONAL COM (Sep 01)
- MS responds to Exchange Server 5.0 POP3 Security problem Manley, Jim W (Sep 01)
- Re: Pine's re-occuring nightmare Mark Crispin (Sep 01)
- HP UX Bug :) Leonid S Knyshov (Sep 01)
- Re: HP UX Bug :) Brian Mitchell (Sep 02)
- in.comsat DoS vulnerability Andrew Hobgood (Sep 02)
- You can find jizz.c here T o r g (Sep 03)
- You can find jizz.c here anonymous () ANONYMOUS ORG (Sep 03)
- [linux-security] Announce: chkexploit 1.13 (fwd) iON BARRiER (Sep 04)
- Re: [linux-security] Announce: chkexploit 1.13 (fwd) W.C. Epperson (Sep 04)
- [Alert] Website's uploader.exe (from demo) vulnerable Aleph One (Sep 04)
- Overflow in one of Apache 1.1.1 (maybe later too)'s modules Matt Conover (Sep 04)
- Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Artur Pydo - EuroBretagne (Sep 05)
- Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Marc Slemko (Sep 05)