Title: HP JetAdmin symlink Vulnerability
Severity: CRITICAL
Description:
A vulnerability exists in HP's JetAdmin Rev. D.01.09 software. Due to its failure to check if it is following a symbolic link, it is possible for an attacker to create a link from /tmp/jetadmin.log to anywhere on the filesystem, with permissions for reading and writing by everyone on the system. This can be used to gain root access.
The problem lies in the checking and creation of the log file. The following snippit is from /opt/hpnp/admin/jetadmin.
----
LOG=$TMP/jetadmin.log
if [ ! -f "$LOG" ]
then
touch $LOG
chmod 666 $LOG
fi
----
If the log file does not exist, the jetadmin script will create it, and change its permissions to 666. It does not check if the file is a symbolic link.
Affected Products:
- HP JetAdmin 1.0.9Rev. D
References:
- Hewlett Packard: HP Support
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
