HP Tru64 UNIX ps Command Discloses Environment Variables to Local Users
|
SecurityTracker Alert ID: 1017592 |
SecurityTracker URL: http://securitytracker.com/id/1017592
|
CVE Reference:
CVE-2007-0805
(Links to External Site)
|
Updated: May 19 2008
|
Original Entry Date: Feb 6 2007
|
Impact:
Disclosure of system information
|
Exploit Included: Yes
|
Version(s): HP OSF1 v5.1 1885 Alpha
|
Description:
A vulnerability was reported in the 'ps' utility on HP Tru64. A local user can view environment variable values.
A local user can invoke the '/usr/ucb/ps' command to view the values of environment variables of all processes on the target system.
The vendor has been notified.
A demonstration exploit is available at:
http://rawlab.mindcreations.com/codes/exp/nix/osf1tru64ps.ksh
Andrea "bunker" Purificato reported this vulnerability.
|
Impact:
A local user can view the values of environment variables of all processes on the target system.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.hp.com/ (Links to External Site)
|
Cause:
Access control error
|
|
Message History:
None.
|
Source Message Contents
|
Subject: PS Information Leak on HP True64 Alpha OSF1 v5.1 1885
|
[After months of silence from the "HP Software Security Response Team"]
-Type: Information leak
-Risk: low
-Author: Andrea "bunker" Purificato - http://rawlab.mindcreations.com
-Description: the "ps" command (also /usr/ucb/ps) on HP OSF1 v5.1 Alpha,
developed without an eye to security, allows unprivileged users to see
values of all processes environment variables.
It's something similar to "raptor_ucbps" (by Marco Ivaldi) for Solaris.
I've tested it only on OSF1 v5.1 1885.
If you remove bit suid from executable, "ps" doesn't work correctly.
-Code: http://rawlab.mindcreations.com/codes/exp/nix/osf1true64ps.ksh
Bye,
--
Andrea "bunker" Purificato
+++++++++++[>++++++>+++++++++++++++++++++++++++++++++>++++
++++++<<<-]>.>++++++++++.>.<----------.>---------.<+++++++.
http://rawlab.mindcreations.com
|
|