{"vuid":"VU#127435","idnumber":"127435","name":"HPUX kmmodreg allows arbitrary file overwriting via symlink redirection of temporary file","keywords":["HPUX","kmmodreg","symlink","/tmp","tmp","temp file","temporary file","PHCO_24112"],"overview":"The kmmodreg program distributed with some HPUX versions creates two temporary files with predictable names. Due to insecure handling of these files, an intruder may use them to overwrite arbitrary files during system boot via a symbolic link attack.","clean_desc":"The kmmodreg program distributed with some HPUX versions creates two files in /tmp: /tmp.kmmodreg_lock and /tmp/kmpath.tmp. The creat() call used in this program does not check for prior existence of either file.","impact":"By creating symbolic links named for either of the two temporary files, an intruder can overwrite any file in the system with data from kmmodreg. Since kmmodreg runs automatically during reboot, no separate invocation is required. The overwrite may cause a file corruption leading to denial of service, or, since the temporary files are created to allow modification by anyone (protected 666), this may be used to allow modification of system files leading to increased user privileges.","resolution":"Apply vendor patches; see the Systems Affected section below.","workarounds":"","sysaffected":"","thanks":"This vulnerability was first reported by Graf Potozky.","author":"This document was last updated by Tim Shimeall.","public":["http://www.securityfocus.com/bid/2821","http://www.ciac.org/ciac/bulletins/l-093.shtml"],"cveids":["CVE-2001-1256"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2001-06-12T12:38:44Z","publicdate":"2001-06-04T00:00:00Z","datefirstpublished":"2001-07-31T13:56:16Z","dateupdated":"2001-08-01T16:17:59Z","revision":6,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"8","cam_population":"10","cam_impact":"18","cam_easeofexploitation":"15","cam_attackeraccessrequired":"10","cam_scorecurrent":"11.64375","cam_scorecurrentwidelyknown":"14.175","cam_scorecurrentwidelyknownexploited":"24.3","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":11.64375,"vulnote":null}