The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of HP Tru64 UNIX: privilege elevation via AdvFS

Synthesis of the vulnerability 

A local attacker can use AdvFS in order to elevate his privileges.
Vulnerable systems: Tru64 UNIX.
Severity of this threat: 2/4.
Creation date: 07/11/2008.
Références of this weakness: BID-32160, c01599842, CERTA-2008-AVI-548, CVE-2008-4414, HPSBTU02383, SSRT080098, VIGILANCE-VUL-8228.

Description of the vulnerability 

The AdvFS filesystem can be installed as an option under Tru64 UNIX. The /usr/sbin/showfile command displays the attributes of an AdvFS file.

A local attacker can use showfile to elevate his privileges.

This vulnerability may be related to a buffer overflow occurring in this suid/sgid command.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability alert impacts software or systems such as Tru64 UNIX.

Our Vigil@nce team determined that the severity of this computer weakness alert is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

An attacker with a expert ability can exploit this computer vulnerability.

Solutions for this threat 

HP Tru64 UNIX: patch for AdvFS.
A patch is available:
HP Tru64 UNIX 5.1B-4
PREREQUISITE: HP Tru64 UNIX 5.1B-4 PK6 (BL27)
Name: T64KIT1001551-V51BB27-ES-20081015.tar
Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001551-V51BB27-ES-20081015
HP Tru64 UNIX 5.1B-3
PREREQUISITE: HP Tru64 UNIX 5.1B-3 PK5 (BL26)
Name: T64KIT1001540-V51BB26-ES-20080916.tar
Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001540-V51BB26-ES-20080916
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a networks vulnerabilities bulletin. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.