HP-UX CDE Default PATH Vulnerability

HP-UX CDE Default PATH Vulnerability

In the HP9000 700/800 series running HP-UX 10.X, users who log in using CDE have the current directory as part of the environment variable PATH. This vulnerability allows for an attacker to disguise malicious executables as commonly used system utilities (like ls) in world writeable directories to be executed unknowingly by another user or by root (when in that directory). An example of this is below:

Attacker with regular user permissions creates shell script called 'ls' in all world writeable directories.

'./ls' first executes the regular /bin/ls, then leaving a setuid root shell somewhere (or adds an entry to /etc/passwd or writes to /.rhosts).

To the user running what they think is 'ls', nothing seems wrong.