search menu icon-carat-right cmu-wordmark

CERT Coordination Center

HP-UX shar utility creates files with predictable names in "/tmp" directory

Vulnerability Note VU#509454

Original Release Date: 2004-01-23 | Last Revised: 2004-01-23

Overview

The shar program distributed with some versions of the HP-UX operating system creates files insecurely. This vulnerability could allow local users to gain escalated privilege on the system.

Description

shar is a program commonly available on UNIX systems to create a shell script that will recreate a file hierarchy specified by the command line operands. The shar program is often used for distributing a directory of files by FTP or email. The shar program distributed with some versions of the HP-UX operating system creates files with predictable names in the /tmp directory. In environments where multiple users have write access to the /tmp directory, this behavior could be exploited by an attacker to overwrite files with another user's privileges.

Impact

An attacker with the ability to create symbolic links for predictable filenames in the /tmp directory may be able to overwrite files owned by another user. When a shell script generated by the flawed version of the shar program is executed, the symbolic links would be followed and the target files created with the permissions of the user who ran the script.

Solution

Apply a patch from the vendor

Patches that address this vulnerability have been released. Please see the vendor information in the Systems Affected section of this document for more details.

NOTE: After the patches have been applied, Hewlett-Packard recommends that users always specify a secure directory in the TMPDIR environment variable when creating shar archives. Hewlett-Packard also states that shar archives created with previous versions of the shar program will still use the /tmp directory even after the recommended patches are installed. Users are encouraged to inspect existing shar archives and replace references to /tmp with $TMPDIR. This can be accomplished by manually editing the files or with the simple script provided in the Hewlett-Packard bulletin.

Vendor Information

509454
 

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to the Hewlett-Packard Company for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: None
Severity Metric: 2.13
Date Public: 2003-12-02
Date First Published: 2004-01-23
Date Last Updated: 2004-01-23 16:12 UTC
Document Revision: 9

Sponsored by CISA.