COMMAND

    /[usr/]bin/cue (known as CUE)

SYSTEMS AFFECTED

    HP9000 series 800, releases HP-UX 8.X, 9.X, 10.X, and 11.0

PROBLEM

    For start let's say that cue (Hewlett Packard Character-based User
    Environment) is suid binary.  Enough  said?  As it is possible  to
    make it a login program, let's see further...

        $ export LOGNAME=root
        $ cue
        Welcome root

    Encouraging stuff, of course it gives up the suid priviledges when
    you got the shell, but a different problem exists...  Since it was
    mislead  by  $LOGNAME  (big  oops  in  login  programs :), it will
    detect that you're  in fact not  root... BUT if  do ls -la,  among
    others you'll find this:

        -rw------- root mygroup 0 IOERROR.mytty

    It also follows your umask?

        $ umask 000
        $ cue
        -rw-rw-rw- root mygroup  0 IOERROR.mytty

    It  follows.   Does  it  follow  symlinks?   Creating a symlink to
    /lost+found/test (unwriteable by anyone) will be proove:

        $ cue
        $ ls -la /lost+found
        -rw-rw-rw- root mygroup 0 test

    So, it also follows symlinks...  However, it wipes out the  target
    file.  In any event, a very dangerous condition.  .forward/.rhosts
    is the most obvious attack.  Credit goes to Leonid S. Knyshov.

SOLUTION

    Since the release of HP-UX 10.30 (a developers release), the HP-UX
    CUE  system  is  officially  obsolete,  and has been deprecated in
    HP-UX release 11.0.   There will be  no patches released  to solve
    this issue.

        chmod 000 /usr/bin/cue    or   rm /usr/bin/cue

    HP  strongly  recommends  that  system  administrators  disable or
    remove cue from their systems, due to the nature of this  problem.
    No upgrades from existing releases currently in use are necessary.