Vulnerability Note VU#127435

HPUX kmmodreg allows arbitrary file overwriting via symlink redirection of temporary file

Original Release date: 31 Jul 2001 | Last revised: 01 Aug 2001

Overview

The kmmodreg program distributed with some HPUX versions creates two temporary files with predictable names. Due to insecure handling of these files, an intruder may use them to overwrite arbitrary files during system boot via a symbolic link attack.

Description

The kmmodreg program distributed with some HPUX versions creates two files in /tmp: /tmp.kmmodreg_lock and /tmp/kmpath.tmp. The creat() call used in this program does not check for prior existence of either file.

Impact

By creating symbolic links named for either of the two temporary files, an intruder can overwrite any file in the system with data from kmmodreg. Since kmmodreg runs automatically during reboot, no separate invocation is required. The overwrite may cause a file corruption leading to denial of service, or, since the temporary files are created to allow modification by anyone (protected 666), this may be used to allow modification of system files leading to increased user privileges.

Solution

Apply vendor patches; see the Systems Affected section below.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Hewlett PackardAffected04 May 200101 Aug 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was first reported by Graf Potozky.

This document was last updated by Tim Shimeall.

Other Information

  • CVE IDs: Unknown
  • Date Public: 04 Jun 2001
  • Date First Published: 31 Jul 2001
  • Date Last Updated: 01 Aug 2001
  • Severity Metric: 11.64
  • Document Revision: 6

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.