[18066] in bugtraq
STM symlink Vulnerability
daemon@ATHENA.MIT.EDU (zorgon)
Wed Dec 13 22:38:47 2000
Content-Type: text/plain
Content-Disposition: inline
Mime-Version: 1.0
Message-Id: <200012131033.eBDAXLs00670@tbird.iworld.com>
Date: Wed, 13 Dec 2000 05:33:21 -0500
Reply-To: zorgon <zorgon@LINUXSTART.COM>
From: zorgon <zorgon@LINUXSTART.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Support Tool Manager Symlink Vulnerability
>From the STM manual page :
>The Support Tools Manager (STM) provides three interfaces that allow a
>user access to an underlying toolset, consisting of information
>modules, firmware update tools, verifiers, diagnostics, exercisers,
>expert tools, and utilities.
It exists a symlink vulnerability in STM. When you run cstm for example
(but also xstm and mstm):
$uname -a
HP-UX localhost B.11.00 A 9000/785 2004901631 licence pour deux utilisateurs
$stm -c
Running Command File (/usr/sbin/stm/ui/config/.stmrc).
-- Information --
Support Tools Manager
Version A.22.00
Product Number B4708AA
(C) Copyright Hewlett Packard Co. 1995-1998
All Rights Reserved
Use of this program is subject to the licensing restrictions described
in "Help-->On Version". HP shall not be liable for any damages resulting
from misuse or unauthorized use of this program.
cstm>ru
Select Utility
1 MOutil
2 logtool
Enter selection : 1
-- Magneto-Optical device Utility --
MO Utility>
STM writes logs to the file "/var/stm/logs/tool_stat.txt".
But the existance and owner of the file is not checked prior to writing logs.
So local users may create a symlink from an arbitrary file to tool_stat.txt
and the file pointed to by the symlink will be overwritten.
It can result to a denial of service.
Status vendor:
This flaw is being adressed in HP labs.
==================================
zorgon <zorgon@linuxstart.com>
http://www.nightbird.free.fr
----------------------
Do you do Linux? :)
Get your FREE @linuxstart.com email address at: http://www.linuxstart.com
