CVE-2000-0468 : Detail

CVE-2000-0468

0.04%V3
Local
2000-10-13
02h00 +00:00
2005-11-02
09h00 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

man in HP-UX 10.20 and 11 allows local attackers to overwrite files via a symlink attack.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 19990

Publication date : 2000-06-01 22h00 +00:00
Author : Jason Axley
EDB Verified : Yes

source: https://www.securityfocus.com/bid/1302/info The programmers of the 'man' command on various HPUX releases have made several fatal mistakes that allow an attacker to trivially set a trap that could result in any arbitrary file being overwritten on the system when root runs the 'man' command. Details: 1) man creates temporary files with predictable filenames in world-writeable directories. The two files are named catXXXX and manXXXX where XXXX is the PID of the man process (highly predictable). 2) man blindly follows symlinks. 3) man explicitly opens the temp files with mode 666 and ignores the existing umask. I verified that this doesn't change the mode of existing files to 666, but it allows for attackers to edit the tempfiles and potentially insert harmful man commands (like recent Bugtraq discussions about malicious manpages). 4) man opens the tempfiles with O_TRUNC. This means that when a file is symlinked to, that file is blindly truncated. This could lead to easy denial-of-service if you want to trash the password file or a hard disk device file. This could also have bad effects on sane man program operation, regardless of security, if a user runs man and leaves it running, then PIDs are wrapped around and someone of higher privilege runs man and overwrites your tempfiles! Create ~65535 catXXXX or manXXXX symlinks in /tmp, pointing to the file you want to overwrite (e.g. /etc/passwd). Then wait. When root runs man, the file will be blindly overwritten with the formatted manpage contents (cat????) or unformatted (man????) are written to the symlinked file.

Products Mentioned

Configuraton 0

Hp>>Hp-ux >> Version 10.20

Hp>>Hp-ux >> Version 11.00

References

http://www.securityfocus.com/bid/1302
Tags : vdb-entry, x_refsource_BID