TUCoPS :: Unix :: Various Flavours :: ciacc012.txt

HP Apollo Crp Vulnerability 

          _____________________________________________________
              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
			 Information Bulletin
 
	  Hewlett Packard/Apollo Domain/OS crp Vulnerability
 
December 20, 1991 1000 PST 					Number C-12
_________________________________________________________________________
PROBLEM: The crp facility on Domain/OS systems is vulnerable to 
	network attack 
PLATFORM:  Hewlett Packard/Apollo Domain/OS SR10 systems  through 
	version SR10.3 (both UNIX and AEGIS systems are affected)
DAMAGE: An authorized user at a remote or local site can obtain the 
	privileges of the user running crp on a Domain/OS system
SOLUTION: The workaround provided below should be applied to all 
	Domain/OS systems supporting crp until a patch is available 
	from HP/Apollo.
__________________________________________________________________________
		Critical Facts about crp vulnerability

CIAC has learned of a workaround to a vulnerability which exists in
the Hewlett Packard/Apollo (HP/Apollo) Domain/OS crp facility.
Failure to close this vulnerability may allow an unauthorized
remote or local user to obtain the privileges of a user running crp
on a Domain/OS system.  Both the UNIX and AEGIS version of the
Domain/OS systems are affected by this vulnerability.  A patch is
under development by HP/Apollo and should be available in the SR10.3
patch tape (planned release is February 1992).  This patch will be
incorporated in the next major release of HP/Apollo Domain/OS.

Until the patch is available from the vendor, CIAC recommends that all
HP/Apollo Domain/OS systems apply the following workaround.  This
workaround will disable two system calls made by /usr/apollo/bin/crp.
Consequently, the functionality of various software programs may be
affected, since the workaround will disable the ability to define
programmable function keys, create new windows on the client node, or
execute background processes using the Display Manager interface.

In the description of the workaround below, the specific commands
applicable to the UNIX or AEGIS version of Domain/OS will be
identified.

 1.  	Create a file "crplib.c" containing the following:

	extern void pad_$dm_cmd(void);
	void pad_$dm_cmd() { }
	extern void pad_$def_pfk(void);
	void pad_$def_pfk() { }

2.	Compile this program using the '-pic' option of the C compiler

(AEGIS)	/com/cc crplib.c -pic
(UNIX)	/bin/cc -c crplib.c -WO -pic

3.	Copy the resulting library to /lib/crplib or other standard
	library location on the system and change the permission on
	the file to allow user to link to the library

(AEGIS)	/com/cpf crplib.bin /lib/crplib
(AEGIS)	/com/edacl -p root prwx -g wheel rx -w rx /lib/crplib

(UNIX)	/bin/cp crplib.o /lib/crplib
(UNIX)	/bin/chmod 755 /lib/crplib

4.	Replace the original crp facility with a script that will do
	an 'inlib' of the created library file before running crp.

(AEGIS)	/com/chn /usr/apollo/bin/crp crp.orig
(UNIX)	/bin/mv /usr.apollo/bin/crp /usr/apollo/bin/crp.orig

5.	Create a file '/usr/apollo/bin/crp' containing the following:

(AEGIS)
	#!/com/sh
	/com/sh -c inlib /lib/crplib ';' /usr/apollo/bin/crp.orig^*
(UNIX)
	#!/bin/sh
	inlib /lib/crplib
	exec /usr/apollo/bin/crp.orig "$@"

6.	Change the permissions on this script file to make it
	accessible to users on the system as a replacement for the
	original crp facility

(AEGIS)	/com/edacl -p root prwx -g wheel rx -w rx /usr/apollo/bin/crp
(UNIX)	/bin/chmod 755 /usr/apollo/bin/crp


For additional information or assistance, please contact CIAC:

	Tom Longstaff
	(510)423-4416** or (FTS) 543-4416
	longstaf@llnl.gov

(FAX) (510) 423-8002** or (FTS) 543-8002

Send e-mail to ciac@llnl.gov or call CIAC at (510) 422-8193**/(FTS)532-8193.  

**Note area code has changed from 415, although the 415 area code will
work until Jan. 1992.

PLEASE NOTE:  Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Some of the other teams include the NASA NSI response team,
DARPA's CERT/CC, NAVCIRT, and the Air Force response team.  Your
agency's team will coordinate with CIAC.

CIAC would like to thank the Computer Emergency Response
Team/Coordination Center (CERT/CC) for some of the material provided
in this bullein.  Neither the United States Government nor the
University of California nor any of their employees, makes any
warranty, expressed or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its use
would not infringe privately owned rights.  Reference herein to any
specific commercial products, process, or service by trade name,
trademark manufacturer, or otherwise, does not necessarily constitute
or imply its endorsement, recommendation, or favoring by the United
States Government or the University of California.  The views and
opinions of authors expressed herein do not necessarily state or
reflect those of the United States Government nor the University of
California, and shall not be used for advertising or product
endorsement purposes.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH