OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: STM symlink Vulnerability
From: zorgon (zorgonLINUXSTART.COM)
Date: Wed Dec 13 2000 - 04:33:21 CST


Support Tool Manager Symlink Vulnerability

>From the STM manual page :

>The Support Tools Manager (STM) provides three interfaces that allow a
>user access to an underlying toolset, consisting of information
>modules, firmware update tools, verifiers, diagnostics, exercisers,
>expert tools, and utilities.

It exists a symlink vulnerability in STM. When you run cstm for example
(but also xstm and mstm):

$uname -a
HP-UX localhost B.11.00 A 9000/785 2004901631 licence pour deux utilisateurs
$stm -c
Running Command File (/usr/sbin/stm/ui/config/.stmrc).

-- Information --
Support Tools Manager

Version A.22.00

Product Number B4708AA

(C) Copyright Hewlett Packard Co. 1995-1998
All Rights Reserved

Use of this program is subject to the licensing restrictions described
in "Help-->On Version". HP shall not be liable for any damages resulting
from misuse or unauthorized use of this program.

cstm>ru
Select Utility
    1 MOutil
    2 logtool
Enter selection : 1

-- Magneto-Optical device Utility --
MO Utility>

STM writes logs to the file "/var/stm/logs/tool_stat.txt".
But the existance and owner of the file is not checked prior to writing logs.
So local users may create a symlink from an arbitrary file to tool_stat.txt
and the file pointed to by the symlink will be overwritten.
It can result to a denial of service.

Status vendor:
This flaw is being adressed in HP labs.

==================================
zorgon <zorgonlinuxstart.com>
http://www.nightbird.free.fr
----------------------
Do you do Linux? :)
Get your FREE linuxstart.com email address at: http://www.linuxstart.com