Support Tool Manager Symlink Vulnerability
>From the STM manual page :
>The Support Tools Manager (STM) provides three interfaces that allow a
>user access to an underlying toolset, consisting of information
>modules, firmware update tools, verifiers, diagnostics, exercisers,
>expert tools, and utilities.
It exists a symlink vulnerability in STM. When you run cstm for example
(but also xstm and mstm):
$uname -a
HP-UX localhost B.11.00 A 9000/785 2004901631 licence pour deux utilisateurs
$stm -c
Running Command File (/usr/sbin/stm/ui/config/.stmrc).
– Information –
Support Tools Manager
Version A.22.00
Product Number B4708AA
(C) Copyright Hewlett Packard Co. 1995-1998
All Rights Reserved
Use of this program is subject to the licensing restrictions described
in "Help–>On Version". HP shall not be liable for any damages resulting
from misuse or unauthorized use of this program.
cstm>ru
Select Utility
1 MOutil
2 logtool
Enter selection : 1
– Magneto-Optical device Utility –
MO Utility>
STM writes logs to the file "/var/stm/logs/tool_stat.txt".
But the existance and owner of the file is not checked prior to writing logs.
So local users may create a symlink from an arbitrary file to tool_stat.txt
and the file pointed to by the symlink will be overwritten.
It can result to a denial of service.
Status vendor:
This flaw is being adressed in HP labs.
Do you do Linux? :)
Get your FREE @linuxstart.com email address at: http://www.linuxstart.com