HP-UX usermod command unauthorized file and directory access

hpux-usermod-unauthorized-access (25311) The risk level is classified as MediumMedium Risk

Description:

HP-UX could allow a local attacker to gain unauthorized access to arbitrary files and directories, caused by an unspecified vulnerability in the "usermod" command. An attacker could exploit this vulnerability by changing the permissions on all files and directories under the target user's home directory, allowing the attacker to bypass security restrictions and gain unauthorized access to other user's files and directories.


Consequences:

Gain Access

Remedy:

Refer to Hewlett-Packard Company Security Bulletin HPSBUX02102 SSRT051078 rev.1 for patch, upgrade, or suggested workaround information. See References.

References:

  • Hewlett-Packard Company Security Bulletin HPSBUX02102 SSRT051078 rev.1: HP-UX usermod(1M) Local Unauthorized Access. .
  • ASA-2006-087: HP-UX usermod Local Unauthorized Access (HPSBUX02102)
  • BID-17143: HP-UX Usermod Local Unauthorized Access Vulnerability
  • CVE-2006-1248: Unspecified vulnerability in usermod in HP-UX B.11.00, B.11.11, and B.11.23, when run with certain options that involve a new home directory, might cause usermod to change the ownership of all directories and files under the new directory, which might result in less secure permissions than intended.
  • SA19305: HP-UX usermod Recursive Ownership Change Security Issue
  • SECTRACK ID: 1015782: HP-UX usermod Lets Local Users Modify File and Directory Permissions
  • SECTRACK ID: 1015834: HP-UX Unspecified Bug in passwd Lets Local Users Deny Service
  • VUPEN/ADV-2006-0997: HP-UX usermod Command Options Local Unauthorized Access Vulnerability

Platforms Affected:

  • HP HP-UX 11.00
  • HP HP-UX 11.11
  • HP HP-UX 11.23

Reported:

Mar 15, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page