CVE-1999-1139

Vulnerability

The Character-Terminal User Environment (CUE) program in HP-UX 11.0 and earlier is a setuid root binary that creates an IOERROR.mytty file in the user's home directory. Due to a design flaw, the program follows symbolic links and uses the user's umask when creating the file, allowing a local user to overwrite arbitrary files as root [1].

Exploitation

A local attacker first sets the umask to 000 to ensure the created file is world-writable. Then, a symbolic link is created from ~/IOERROR.mytty to a target file such as /etc/passwd or a system binary. When the cue program is executed, it follows the symlink and overwrites the target file with an empty file, using root privileges [1].

Impact

By overwriting critical system files, an attacker can escalate privileges to root. For example, overwriting /etc/passwd with an empty file can remove password requirements, allowing the attacker to gain root access. Alternatively, replacing a system binary can lead to arbitrary code execution as root [1].

Mitigation

No official patch is mentioned in the available advisory [1]. The recommended mitigation is to remove the setuid bit from the cue binary using chmod u-s /usr/bin/cue. Alternatively, restrict access to the program. Users should upgrade to a patched version if available from HP [1].