-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT* Advisory CA-97.02
Original issue date: January 7, 1997
Last revised: April 3, 1997 
              Updates section - Added a note that the vulnerability is being
                                exploited. 

Topic: HP-UX newgrp Buffer Overrun Vulnerability
- -----------------------------------------------------------------------------

   The text of this advisory was originally released on December 3, 1996, as
   AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability, developed by
   AUSCERT. Because of the seriousness of the problem, we are reprinting the
   AUSCERT advisory here with their permission. Only the contact information
   at the end has changed: AUSCERT contact information has been replaced with
   CERT/CC contact information.

   We will update this advisory as we receive additional information.
   Look for it in an "Updates" section at the end of the advisory.

===========================================================================

AUSCERT has received information that a vulnerability exists in the
newgrp(1) program under HP-UX 9.x and 10.x.

This vulnerability may allow local users to gain root privileges.

Exploit information involving this vulnerability has been made publicly
available.

Currently there are no vendor patches available that address this
vulnerability.  AUSCERT recommends that sites take the steps outlined in
section 3 as soon as possible.

This advisory will be updated as more information becomes available.
- ----------------------------------------------------------------------------

1.  Description

    AUSCERT has received information that a vulnerability exists in the
    HP-UX newgrp(1) program.  The newgrp command is used to change a users
    group identification, and is installed by default.

    Due to insufficient bounds checking on arguments which are supplied
    by users, it is possible to overwrite the internal stack space of the
    newgrp program while it is executing.  By supplying a carefully
    designed argument to the newgrp program, intruders may be able to
    force newgrp to execute arbitrary commands.  As newgrp is setuid
    root, this may allow intruders to run arbitrary commands with root
    privileges.

    This vulnerability is known to affect both HP-UX 9.x and 10.x.

    By default, newgrp is located in /bin under HP-UX 9.x and in
    /usr/bin under HP-UX 10.x.

    Exploit information involving this vulnerability has been made
    publicly available.

2.  Impact

    Local users may gain root privileges.

3.  Workarounds/Solution

    AUSCERT recommends that sites limit the possible exploitation of this
    vulnerability by immediately removing the setuid permissions as stated
    in Section 3.1.  If the newgrp command is required, AUSCERT recommends
    the newgrp wrapper program given in Section 3.2 be installed.

    AUSCERT recommends that official vendor patches be installed when
    they are made available.  See the Updates section for information
    about availability of patches.

3.1 Remove setuid and non-root execute permissions

    To prevent the exploitation of the vulnerability described in the
    advisory, AUSCERT recommends that the setuid permissions be removed from
    the newgrp program immediately.  As the newgrp program will no
    longer work for non-root users, it is recommended that the execute
    permissions also be removed.  Before doing so, the original permissions
    for newgrp should be noted as they will be needed if sites choose to
    install the newgrp wrapper program (Section 3.2).

    For HP-UX 9.x:

        # ls -l /bin/newgrp
        -r-sr-xr-x   1 root     sys        16384 Dec  2 13:45 /bin/newgrp

        # chmod 500 /bin/newgrp
        # ls -l /bin/newgrp
        -r-x------   1 root     sys        16384 Dec  2 13:45 /bin/newgrp

    For HP-UX 10.x:

        # ls -l /usr/bin/newgrp
        -r-sr-xr-x   1 root     sys        12288 Dec  2 13:27 /usr/bin/newgrp

        # chmod 500 /usr/bin/newgrp
        # ls -l /usr/bin/newgrp
        -r-x------   1 root     sys        12288 Dec  2 13:27 /usr/bin/newgrp

    Note that this will remove the ability for any non-root user to run the
    newgrp program.

3.2 Install newgrp wrapper

    AUSCERT has developed a wrapper to help prevent programs from being
    exploited using the vulnerability described in this advisory.  This
    wrapper, including installation instructions, can be found at:

        ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper.c

    This replaces the newgrp program with a wrapper which checks the
    length of the command line arguments passed to it.  If an argument
    exceeds a certain predefined value (MAXARGLEN), the wrapper exits
    without executing the newgrp command.  The wrapper program can also
    be configured to syslog any failed attempts to execute newgrp with
    arguments exceeding MAXARGLEN.  For further instructions on using
    this wrapper, please read the comments at the top of overflow_wrapper.c.

    When compiling overflow_wrapper.c for use with HP-UX newgrp, AUSCERT
    recommends defining MAXARGLEN to be 16.

    The MD5 checksum for Version 1.0 of overflow_wrapper.c is:

        MD5 (overflow_wrapper.c) = f7f83af7f3f0ec1188ed26cf9280f6db

    AUSCERT recommends that until vendor patches can be installed, sites
    requiring the newgrp functionality apply this workaround.

- ----------------------------------------------------------------------------
AUSCERT thanks Hewlett-Packard for their continued assistance and technical
expertise essential for the production of this advisory.  AUSCERT also
thanks Information Technology Services of the University of Southern
Queensland for their assistance.
- ----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact
the CERT staff for more information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

CERT Contact Information
- ------------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org


* Registered U.S. Patent and Trademark Office.

This file: ftp://info.cert.org/pub/cert_advisories/CA-97.02.hp_newgrp
           http://www.cert.org
               click on "CERT Advisories"

=============================================================================
UPDATES

April 4, 1997
- -------------
The CERT/CC has received reports that the vulnerability described in this
advisory is being exploited.

January 14, 1997
- ----------------
All HP patches are now available, see HEWLETT-PACKARD SECURITY BULLETIN:
#00048, issued on 09 January 1997:

          PHCO_9603  for all platforms with HP-UX releases 9.X
          PHCO_9604  for all platforms with HP-UX releases 10.00/10.01
          PHCO_9605  for all platforms with HP-UX releases 10.10/10.20

   Fixing the problem

      The vulnerability can be eliminated from HP-UX releases 9.X and
      10.X by applying the appropriate patch.

   Recommended solution

      1.  Determine which patch are appropriate for your operating
          system.

      2.  Hewlett-Packard's HP-UX patches are available via email
          and the World Wide Web

          To obtain a copy of the Hewlett-Packard SupportLine email
          service user's guide, send the following in the TEXT PORTION
          OF THE MESSAGE to support@us.external.hp.com (no Subject
          is required):

                               send guide

          The users guide explains the HP-UX patch downloading process
          via email and other services available.

          World Wide Web service for downloading of patches
          is available via our URL:
                  (http://us.external.hp.com)

      3.  Apply the patch to your HP-UX system.

      4.  Examine /tmp/update.log (9.X), or /var/adm/sw/swinstall.log
          (10.X), for any relevant WARNING's or ERROR's.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

Apr. 04, 1997  Updates - added note that the vulnerability is being exploited. 
Jan. 14, 1997  Updates - added patch information.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM0PA7HVP+x0t4w7BAQHHWAQAvFqQngkTvwogTy+v+mRcNgYvygWKgn0g
jYJrt0UUQ995mLJhMp4PWa0KiEczOAOtjMROq/a9t/6G+LdIuxSnTpI2XONcWOmt
RzB7CnV1iyY7gFElqvmUSPte4+6lzq5pm3eVHOcRWAeEMUJbd8FndIe7h2yF+z9v
xm7pp5VdDHU=
=2f35
-----END PGP SIGNATURE-----