Vulnerability Note VU#127435

HPUX kmmodreg allows arbitrary file overwriting via symlink redirection of temporary file

Original Release date: 31 Jul 2001 | Last revised: 01 Aug 2001


The kmmodreg program distributed with some HPUX versions creates two temporary files with predictable names. Due to insecure handling of these files, an intruder may use them to overwrite arbitrary files during system boot via a symbolic link attack.


The kmmodreg program distributed with some HPUX versions creates two files in /tmp: /tmp.kmmodreg_lock and /tmp/kmpath.tmp. The creat() call used in this program does not check for prior existence of either file.


By creating symbolic links named for either of the two temporary files, an intruder can overwrite any file in the system with data from kmmodreg. Since kmmodreg runs automatically during reboot, no separate invocation is required. The overwrite may cause a file corruption leading to denial of service, or, since the temporary files are created to allow modification by anyone (protected 666), this may be used to allow modification of system files leading to increased user privileges.


Apply vendor patches; see the Systems Affected section below.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Hewlett PackardAffected04 May 200101 Aug 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was first reported by Graf Potozky.

This document was last updated by Tim Shimeall.

Other Information

  • CVE IDs: Unknown
  • Date Public: 04 Jun 2001
  • Date First Published: 31 Jul 2001
  • Date Last Updated: 01 Aug 2001
  • Severity Metric: 11.64
  • Document Revision: 6


If you have feedback, comments, or additional information about this vulnerability, please send us email.