SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#509454

HP-UX shar utility creates files with predictable names in "/tmp" directory

Overview

The shar program distributed with some versions of the HP-UX operating system creates files insecurely. This vulnerability could allow local users to gain escalated privilege on the system.

I. Description

shar is a program commonly available on UNIX systems to create a shell script that will recreate a file hierarchy specified by the command line operands. The shar program is often used for distributing a directory of files by FTP or email. The shar program distributed with some versions of the HP-UX operating system creates files with predictable names in the /tmp directory. In environments where multiple users have write access to the /tmp directory, this behavior could be exploited by an attacker to overwrite files with another user's privileges.

II. Impact

An attacker with the ability to create symbolic links for predictable filenames in the /tmp directory may be able to overwrite files owned by another user. When a shell script generated by the flawed version of the shar program is executed, the symbolic links would be followed and the target files created with the permissions of the user who ran the script.

III. Solution

Apply a patch from the vendor

Patches that address this vulnerability have been released. Please see the vendor information in the Systems Affected section of this document for more details.

NOTE: After the patches have been applied, Hewlett-Packard recommends that users always specify a secure directory in the TMPDIR environment variable when creating shar archives. Hewlett-Packard also states that shar archives created with previous versions of the shar program will still use the /tmp directory even after the recommended patches are installed. Users are encouraged to inspect existing shar archives and replace references to /tmp with $TMPDIR. This can be accomplished by manually editing the files or with the simple script provided in the Hewlett-Packard bulletin.

Systems Affected

VendorStatusDate NotifiedDate Updated
Hewlett-Packard CompanyVulnerable22-Jan-2004

References


http://www.secunia.com/advisories/10339/

Credit

Thanks to the Hewlett-Packard Company for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

Date Public:2003-12-02
Date First Published:2004-01-23
Date Last Updated:2004-01-23
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:2.13
Document Revision:7

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader