发布时间 :2000-06-02 00:00:00
修订时间 :2008-09-10 15:04:44

[原文]man in HP-UX 10.20 and 11 allows local attackers to overwrite files via a symlink attack.

[CNNVD]HP-UX 10.20 and 11 man文件覆盖漏洞(CNNVD-200006-011)

        HP-UX 10.20和11版本中man存在漏洞。本地攻击者借助符号链接攻击可以覆盖文件。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20000601 HP Security vulnerability in the man command

- 漏洞信息

HP-UX 10.20 and 11 man文件覆盖漏洞
中危 未知
2000-06-02 00:00:00 2005-05-02 00:00:00
        HP-UX 10.20和11版本中man存在漏洞。本地攻击者借助符号链接攻击可以覆盖文件。

- 公告与补丁


- 漏洞信息 (19990)

HP-UX 10.20/11.0 man /tmp symlink Vulnerability (EDBID:19990)
hp-ux local
2000-06-02 Verified
0 Jason Axley
N/A [点击下载]

The programmers of the 'man' command on various HPUX releases have made several fatal mistakes that allow an attacker to trivially set a trap that could result in any arbitrary file being overwritten on the system when root runs the 'man' command.


1) man creates temporary files with predictable filenames in world-writeable directories. The two files are named catXXXX and manXXXX where XXXX is the PID of the man process (highly predictable).

2) man blindly follows symlinks.

3) man explicitly opens the temp files with mode 666 and ignores the existing umask. I verified that this doesn't change the mode of existing files to 666, but it allows for attackers to edit the tempfiles and potentially insert harmful man commands (like recent Bugtraq discussions about malicious manpages).

4) man opens the tempfiles with O_TRUNC. This means that when a file is symlinked to, that file is blindly truncated. This could lead to easy denial-of-service if you want to trash the password file or a hard disk device file. This could also have bad effects on sane man program operation, regardless of security, if a user runs man and leaves it running, then PIDs are wrapped around and someone of higher privilege runs man and overwrites your tempfiles!

Create ~65535 catXXXX or manXXXX symlinks in /tmp, pointing to the file you want to overwrite (e.g. /etc/passwd). Then wait. When root runs man, the file will be blindly overwritten with the formatted manpage contents (cat????) or unformatted (man????) are written to the symlinked file. 		

- 漏洞信息

HP-UX man Symlink Arbitrary File Overwrite
Local Access Required Race Condition
Loss of Integrity Patch / RCS
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-06-02 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, HP has reportedly released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete