# Software Engineering Institute

## HP-UX shar utility creates files with predictable names in "/tmp" directory

#### Vulnerability Note VU#509454

Original Release Date: 2004-01-23 | Last Revised: 2004-01-23

### Overview

The shar program distributed with some versions of the HP-UX operating system creates files insecurely. This vulnerability could allow local users to gain escalated privilege on the system.

### Description

 shar is a program commonly available on UNIX systems to create a shell script that will recreate a file hierarchy specified by the command line operands. The shar program is often used for distributing a directory of files by FTP or email. The shar program distributed with some versions of the HP-UX operating system creates files with predictable names in the /tmp directory. In environments where multiple users have write access to the /tmp directory, this behavior could be exploited by an attacker to overwrite files with another user's privileges.

### Impact

 An attacker with the ability to create symbolic links for predictable filenames in the /tmp directory may be able to overwrite files owned by another user. When a shell script generated by the flawed version of the shar program is executed, the symbolic links would be followed and the target files created with the permissions of the user who ran the script.

 Apply a patch from the vendorPatches that address this vulnerability have been released. Please see the vendor information in the Systems Affected section of this document for more details.NOTE: After the patches have been applied, Hewlett-Packard recommends that users always specify a secure directory in the TMPDIR environment variable when creating shar archives. Hewlett-Packard also states that shar archives created with previous versions of the shar program will still use the /tmp directory even after the recommended patches are installed. Users are encouraged to inspect existing shar archives and replace references to /tmp with $TMPDIR. This can be accomplished by manually editing the files or with the simple script provided in the Hewlett-Packard bulletin. ### Vendor Information 509454 ### Hewlett-Packard Company Affected Updated: January 22, 2004 ### Status Affected ### Vendor Statement HP Support Information Digests =============================================================================== o Security Bulletin Digest Split ------------------------------ The security bulletins digest has been split into multiple digests based on the operating system (HP-UX, MPE/iX, and HP Secure OS Software for Linux). You will continue to receive all security bulletin digests unless you choose to update your subscriptions. To update your subscriptions, use your browser to access the IT Resource Center on the World Wide Web at: http://support.itrc.hp.com/ Under the Maintenance and Support Menu, click on the "more..." link. Then use the 'login' link at the left side of the screen to login using your IT Resource Center User ID and Password. Under the notifications section (near the bottom of the page), select ITRC Maintenance/Support. To subscribe or unsubscribe to a specific security bulletin digest, select or unselect the checkbox beside it. Then click the "Update Subscriptions" button at the bottom of the page. o IT Resource Center World Wide Web Service --------------------------------------------------- If you subscribed through the IT Resource Center and would like to be REMOVED from this mailing list, access the IT Resource Center on the World Wide Web at: http://support.itrc.hp.com/ Login using your IT Resource Center User ID and Password. Then select ITRC Maintenance/Support (located under Maintenance and Support). You may then unsubscribe from the appropriate digest. =============================================================================== Digest Name: daily HP-UX security bulletins digest Created: Tue Dec 2 6:19:32 EST 2003 Table of Contents: Document ID Title --------------- ----------- HPSBUX0312-304 SSRT3630 Security Vulnerability in shar(1) The documents are listed below. ------------------------------------------------------------------------------- Document ID: HPSBUX0312-304 Date Loaded: 20031201 Title: SSRT3630 Security Vulnerability in shar(1) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ----------------------------------------------------------------- Source: HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBUX0312-304 Originally issued: 01 Dec 2003 SSRT3630 Security Vulnerability in shar(1) ----------------------------------------------------------------- NOTICE: There are no restrictions for distribution of this Bulletin provided that it remains complete and intact. The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. ----------------------------------------------------------------- PROBLEM: shar(1) creates tmp files insecurely. IMPACT: Possible filesystem damage, execution of arbitrary code, or Denial of Service. PLATFORM: HP9000 servers running HP-UX versions B.11.00, B.11.04, and B.11.11. SOLUTION: Apply the appropriate patch from itrc.hp.com: PHCO_29010 B.11.11 PHCO_29697 B.11.04 PHCO_28954 B.11.00 MANUAL ACTIONS: Yes If the /tmp directory is not trusted specify a trusted directory in the TMPDIR environment variable. Shar archives which do not use TMPDIR should be modified as discussed below. AVAILABILITY: All patches are available now on <itrc.hp.com> ----------------------------------------------------------------- A. Background The shar(1) utility, which among other things is used to package HP-UX patches, creates temporary files with predictable names on /tmp. If shar files are unpacked on a system where /tmp cannot be trusted a potential vulnerability exists. Shar archives created with the new version of shar(1) can specify a safe directory for temporary file creation using the TMPDIR environment variable. Shar archives created with previous versions of shar(1) will still use /tmp even after the recommended patches are installed. There are additions to the man page for shar(1) describing the new environment variable TMPDIR. The following procedure can be used to replace references to /tmp with TMPDIR in existing shar archives.$ cat addTMPDIR.awk
/..@EOF/ {scan_off=1}
/^@EOF/  {scan_off=0}
/unpacker <<.@eof./ {scan_off=1}
{
if(scan_off != 1) {
gsub ("/tmp",  "$TMPDIR") } print$0
}

$cp PHCO_29010 PHCO_29010.orig$ export TMPDIR=$HOME$ awk -f addTMPDIR.awk PHCO_29010.orig >PHCO_29010

### CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

### Acknowledgements

Thanks to the Hewlett-Packard Company for reporting this vulnerability.

This document was written by Chad R Dougherty.

### Other Information

 CVE IDs: None Severity Metric: 2.13 Date Public: 2003-12-02 Date First Published: 2004-01-23 Date Last Updated: 2004-01-23 16:12 UTC Document Revision: 9