HP-UX (S008net.init) net.init rc文件覆盖漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105971 漏洞类型 未知
发布时间 2000-08-22 更新时间 2005-05-02
CVE编号 CVE-2000-0702 CNNVD-ID CNNVD-200010-020
漏洞平台 HP-UX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/20162
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200010-020
|漏洞详情
HP-UX11.00(S008net.init)的net.initrc脚本存在漏洞。本地用户可以借助从/tmp/stcp.conf指向目标文件的符号链接攻击覆盖任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/1602/info

A vulnerability exists in HP-UX, from Hewlett Packard, under certain configurations. Version 11.0 is confirmed to have this problem; other versions may also be susceptible. If the CLEAR_TMP option in /etc/rc.config.d is set to 1, meaning enabled, it is possible for a local user to create a symbolic link in /tmp that will be followed prior to being removed. This will allow the local user to overwrite any file upon reboot.

The /sbin/rc2.d/S008net.init file, and /sbin/rc2.d/S204clean_tmps file are run upon reboot. The net.init is run first. (Lower number S scripts are run first). In the net.init file, a temporary file, /tmp/stcp.conf, is use. This file is blindly written to, and is removed by the clean_tmps script. A local user can simply create this file as a symbolic link to any file, and cause the net.init script to overwrite its contents upon reboot.

ln -sf /VULNERABLE /tmp/stcp.conf
and reboot.
|参考资料

来源:BID
名称:1602
链接:http://www.securityfocus.com/bid/1602
来源:BUGTRAQ
名称:20000821[HackersLabbugpaper]HP-UXnet.initrcscript
链接:http://archives.neohapsis.com/archives/bugtraq/2000-08/0261.html
来源:XF
名称:hp-netinit-symlink
链接:http://xforce.iss.net/static/5131.php