STM symlink Vulnerability

[zorgon <zorgon () LINUXSTART COM>]

Support Tool Manager Symlink Vulnerability

> From the STM manual page :

> The Support Tools Manager (STM) provides three interfaces that allow a
> user access to an underlying toolset, consisting of information
> modules, firmware update tools, verifiers, diagnostics, exercisers,
> expert tools, and utilities.

It exists a symlink vulnerability in STM. When you run cstm for example
(but also xstm and mstm):

$uname -a
HP-UX localhost B.11.00 A 9000/785 2004901631 licence pour deux utilisateurs
$stm -c
Running Command File (/usr/sbin/stm/ui/config/.stmrc).

-- Information --
Support Tools Manager


Version A.22.00

Product Number B4708AA

(C) Copyright Hewlett Packard Co. 1995-1998
All Rights Reserved

Use of this program is subject to the licensing restrictions described
in "Help-->On Version".  HP shall not be liable for any damages resulting
from misuse or unauthorized use of this program.

cstm>ru
Select Utility
    1 MOutil
    2 logtool
Enter selection : 1

-- Magneto-Optical device Utility --
MO Utility>

STM writes logs to the file "/var/stm/logs/tool_stat.txt".
But the existance and owner of the file is not checked prior to writing logs.
So local users may create a symlink from an arbitrary file to tool_stat.txt
and the file pointed to by the symlink will be overwritten.
It can result to a denial of service.

Status vendor:
This flaw is being adressed in HP labs.



==================================
zorgon <zorgon () linuxstart com>
http://www.nightbird.free.fr
----------------------
Do you do Linux? :)
Get your FREE @linuxstart.com email address at: http://www.linuxstart.com