Vulnerability Note VU#127435
HPUX kmmodreg allows arbitrary file overwriting via symlink redirection of temporary file
The kmmodreg program distributed with some HPUX versions creates two temporary files with predictable names. Due to insecure handling of these files, an intruder may use them to overwrite arbitrary files during system boot via a symbolic link attack.
The kmmodreg program distributed with some HPUX versions creates two files in /tmp: /tmp.kmmodreg_lock and /tmp/kmpath.tmp. The creat() call used in this program does not check for prior existence of either file.
By creating symbolic links named for either of the two temporary files, an intruder can overwrite any file in the system with data from kmmodreg. Since kmmodreg runs automatically during reboot, no separate invocation is required. The overwrite may cause a file corruption leading to denial of service, or, since the temporary files are created to allow modification by anyone (protected 666), this may be used to allow modification of system files leading to increased user privileges.
Apply vendor patches; see the Systems Affected section below.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Hewlett Packard||Affected||04 May 2001||01 Aug 2001|
CVSS Metrics (Learn More)
This vulnerability was first reported by Graf Potozky.
This document was last updated by Tim Shimeall.
- CVE IDs: Unknown
- Date Public: 04 Jun 2001
- Date First Published: 31 Jul 2001
- Date Last Updated: 01 Aug 2001
- Severity Metric: 11.64
- Document Revision: 6
If you have feedback, comments, or additional information about this vulnerability, please send us email.