header-logo
Suggest Exploit
vendor:
JetAdmin
by:
SecurityFocus
7.5
CVSS
HIGH
Symbolic Link Following
N/A
CWE
Product Name: JetAdmin
Affected Version From: D.01.09
Affected Version To: D.01.09
Patch Exists: YES
Related CWE: N/A
CPE: a:hewlett_packard:jetadmin
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
1998

HP JetAdmin Rev. D.01.09 Vulnerability

HP's JetAdmin Rev. D.01.09 software fails to check if it is following a symbolic link, allowing an attacker to create a link from /tmp/jetadmin.log to anywhere on the filesystem, with permissions for reading and writing by everyone on the system. This can be used to gain root access.

Mitigation:

Ensure that the JetAdmin software is up to date and that the log file is not a symbolic link.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/157/info

A vulnerability exists in HP's JetAdmin Rev. D.01.09 software. Due to its failure to check if it is following a symbolic link, it is possible for an attacker to create a link from /tmp/jetadmin.log to anywhere on the filesystem, with permissions for reading and writing by everyone on the system. This can be used to gain root access.

The problem lies in the checking and creation of the log file. The following snippit is from /opt/hpnp/admin/jetadmin.
----
LOG=$TMP/jetadmin.log

if [ ! -f "$LOG" ]
then
touch $LOG
chmod 666 $LOG
fi
----

If the log file does not exist, the jetadmin script will create it, and change its permissions to 666. It does not check if the file is a symbolic link.

ln -sf /.rhosts /tmp/jetadmin.log