{"vuid":"VU#509454","idnumber":"509454","name":"HP-UX shar utility creates files with predictable names in \"/tmp\" directory","keywords":["HP-UX","privilege escalation","shar utility","files with predictable names","/tmp"],"overview":"The shar program distributed with some versions of the HP-UX operating system creates files insecurely. This vulnerability could allow local users to gain escalated privilege on the system.","clean_desc":"shar is a program commonly available on UNIX systems to create a shell script that will recreate a file hierarchy specified by the command line operands. The shar program is often used for distributing a directory of files by FTP or email. The shar program distributed with some versions of the HP-UX operating system creates files with predictable names in the /tmp directory. In environments where multiple users have write access to the /tmp directory, this behavior could be exploited by an attacker to overwrite files with another user's privileges.","impact":"An attacker with the ability to create symbolic links for predictable filenames in the /tmp directory may be able to overwrite files owned by another user. When a shell script generated by the flawed version of the shar program is executed, the symbolic links would be followed and the target files created with the permissions of the user who ran the script.","resolution":"Apply a patch from the vendor Patches that address this vulnerability have been released. Please see the vendor information in the Systems Affected section of this document for more details. NOTE: After the patches have been applied, Hewlett-Packard recommends that users always specify a secure directory in the TMPDIR environment variable when creating shar archives. Hewlett-Packard also states that shar archives created with previous versions of the shar program will still use the /tmp directory even after the recommended patches are installed. Users are encouraged to inspect existing shar archives and replace references to /tmp with $TMPDIR. This can be accomplished by manually editing the files or with the simple script provided in the Hewlett-Packard bulletin.","workarounds":"","sysaffected":"","thanks":"Thanks to the Hewlett-Packard Company  for reporting this vulnerability.","author":"This document was written by Chad R Dougherty.","public":["h","t","t","p",":","/","/","w","w","w",".","s","e","c","u","n","i","a",".","c","o","m","/","a","d","v","i","s","o","r","i","e","s","/","1","0","3","3","9","/"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2003-12-02T17:47:07Z","publicdate":"2003-12-02T00:00:00Z","datefirstpublished":"2004-01-23T16:12:11Z","dateupdated":"2004-01-23T16:12:22Z","revision":9,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"3","cam_population":"15","cam_impact":"7","cam_easeofexploitation":"6","cam_attackeraccessrequired":"10","cam_scorecurrent":"2.12625","cam_scorecurrentwidelyknown":"2.716875","cam_scorecurrentwidelyknownexploited":"5.079375","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":2.12625,"vulnote":null}