Exploit:
                       HP-UX 10.20

 One night I had nothing better to do, so I
 logged on to my college to play with the
 computers...

 I was surprised to see in MOTD that we are
 upgraded to Hp-UX 10.20.. So I decided to
 check for suid binaries...

 Sure enough I found a ton of them (more
 than 50 I belive)

 One of the programs that attracted my
 attention was cue (Hewlett Packard
 Character-based User Environment)

 As it was possible to make it a login
 program, I decided to investigate further.

 $ export LOGNAME=root
 $ cue
 Welcome root

 That was encouraging, of course it gave
 up the suid priviledges when I got the
 shell, but a different problem exists..
 Since it was mislead by $LOGNAME (big
 oops in login programs :), it detected
 that I am in fact not root... BUT

 When I did ls -la, I found this:

 -rw------- root mygroup 0 IOERROR.mytty

 So, it also follows my umask...

 $ umask 000
 $ cue
 -rw-rw-rw- root mygroup  0 IOERROR.mytty

 I decided to check whether or not it will
 follow symlinks, so I created a symlink
 to /lost+found/test (unwriteable by anyone)

 $ cue
 $ ls -la /lost+found
 -rw-rw-rw- root mygroup 0 test

 So, it also follows symlinks...

 However, it wipes out the target file. A
 symlink to /etc/passwd comes to mind.

 But, since it follows the umask, it might be
 possible to replace binaries executed by
 system...

 In any event, a very dangerous condition...

 I do not have the access to source code,
 so I can't think of a patch. Probably
 replace getenv with getuid or something
 like that.

 So the recommendation would be to remove
 the program's suid bit, as usual.