Vulnerability

    STM

Affected

    HpUX

Description

    'zorgon'  posted  following.   The  Support  Tools  Manager  (STM)
    provides  three  interfaces  that  allow  a  user  access  to   an
    underlying toolset,  consisting of  information modules,  firmware
    update tools,  verifiers, diagnostics,  exercisers, expert  tools,
    and utilities.

    It exists a symlink vulnerability in  STM.  When you run cstm  for
    example (but also xstm and mstm):

        $uname -a
        HP-UX localhost B.11.00 A 9000/785 2004901631 licence pour deux utilisateurs
        $stm -c
        Running Command File (/usr/sbin/stm/ui/config/.stmrc).

        -- Information --
        Support Tools Manager
        
        
        Version A.22.00
        
        Product Number B4708AA
        
        (C) Copyright Hewlett Packard Co. 1995-1998
        All Rights Reserved
        
        Use of this program is subject to the licensing restrictions described
        in "Help-->On Version".  HP shall not be liable for any damages resulting
        from misuse or unauthorized use of this program.
        
        cstm>ru
        Select Utility
            1 MOutil
            2 logtool
        Enter selection : 1
        
        -- Magneto-Optical device Utility --
        MO Utility>

    STM writes  logs to  the file  "/var/stm/logs/tool_stat.txt".  But
    the  existance  and  owner  of  the  file  is not checked prior to
    writing  logs.   So  local  users  may  create  a  symlink from an
    arbitrary file  to tool_stat.txt  and the  file pointed  to by the
    symlink  will  be  overwritten.   It  can  result  to  a denial of
    service.

Solution

    This flaw is being adressed in HP labs.