https://www.exploit-db.com/exploits/20162
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200010-020

HP-UX11.00(S008net.init)的net.initrc脚本存在漏洞。本地用户可以借助从/tmp/stcp.conf指向目标文件的符号链接攻击覆盖任意文件。

source: http://www.securityfocus.com/bid/1602/info

A vulnerability exists in HP-UX, from Hewlett Packard, under certain configurations. Version 11.0 is confirmed to have this problem; other versions may also be susceptible. If the CLEAR_TMP option in /etc/rc.config.d is set to 1, meaning enabled, it is possible for a local user to create a symbolic link in /tmp that will be followed prior to being removed. This will allow the local user to overwrite any file upon reboot.

The /sbin/rc2.d/S008net.init file, and /sbin/rc2.d/S204clean_tmps file are run upon reboot. The net.init is run first. (Lower number S scripts are run first). In the net.init file, a temporary file, /tmp/stcp.conf, is use. This file is blindly written to, and is removed by the clean_tmps script. A local user can simply create this file as a symbolic link to any file, and cause the net.init script to overwrite its contents upon reboot.

ln -sf /VULNERABLE /tmp/stcp.conf
and reboot.

来源:BID
名称:1602
链接:http://www.securityfocus.com/bid/1602
来源:BUGTRAQ
名称:20000821[HackersLabbugpaper]HP-UXnet.initrcscript
链接:http://archives.neohapsis.com/archives/bugtraq/2000-08/0261.html
来源:XF
名称:hp-netinit-symlink
链接:http://xforce.iss.net/static/5131.php