TUCoPS :: HP/UX :: ciach003.txt

HP-UX Suid Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                           HP-UX_suid_Vulnerabilities

November 4, 1996 16:00 GMT                                         Number H-03
______________________________________________________________________________
PROBLEM:       Several HP-UX system utilities are suid root and when run, 
               they open and write log or other files to disk. Using this 
               feature, normal users can add or change privileged system files 
               that then compromise system security and allow those users to 
               gain root access or to destroy files. The following system 
               utilities are known to have this problem. 
                  /usr/diag/bin/DUI (/etc/sysdiag) 
                  /usr/perf/bin/glance 
                  /etc/subnetconfig 
                  Remote Watch /usr/remwatch/* 
                  /usr/bin/ppl 
                  /usr/sbin/swinstall 
                  /usr/bin/X11/gwind (called by: xwcreate and xwdestroy) 
PLATFORM:      HP-UX all versions
DAMAGE:        Unprivileged users can get root or destroy files. 
SOLUTION:      Remove the indicated programs or packages or turn off the 
               suid bit on the indicated programs until a patch is 
               available. 
______________________________________________________________________________
VULNERABILITY  Using these vulnerabilities, any normal user can compromise 
ASSESSMENT:    security and get root access to a system or can destroy system 
               owned files. 
______________________________________________________________________________

                      HP-UX suid Vulnerabilities

CIAC has learned that attack scripts are circulating around the Internet that 
show how to compromise system security using the listed system programs. These 
scripts allow a normal user to gain root access or to destroy system owned 
files.

Several of the vulnerabilities exploited by these scripts have already been 
patched by existing Hewlett Packard (HP) security patches, but it has come to 
our attention that many installed systems have not been patched. Users should 
realize that just because you have installed a new HP computer or upgraded the 
operating system on an existing one does not mean that all the relevant 
security patches have been installed. 

If you are using an HP-UX system, you are advised to check the HP Security 
Advisories at http://us.external.hp.com for ones that apply to your particular 
system. You should then download and install any indicated security patches 
before putting your machine into production. Be sure to check the patch itself 
to see if the patch only applies to an earlier version of HP-UX or if the 
patch has been updated to be applied to the later version as well. This update 
may not be indicated in the security bulletin.

This bulletin lists the programs being exploited and the HP security bulletins 
that describe the patches required to correct the indicated problems. For 
those problems that do not have a bulletin or patch, this bulletin contains 
some workarounds to protect a system until patches are available from HP. CIAC 
will distribute notices of new patches from HP when they become available. 
Note that we do not expect to see patches for any of the older products that 
have been superseded by newer ones.

Several of the problems described here apply to diagnostics and system 
management tools that most normal users will never use. All such tools are 
included in a newly installed system, but can be removed after the 
installation has completed if they are not needed, returning a significant 
amount of disk space to the user. If you don't need a package, delete it. If 
you find you need it in the future, you can always reinstall it. The System 
Administration Manager (SAM) program is very useful in this regard as it can 
remove or install complete filesets.
______________________________________________________________________________

INDICATIONS OF A POSSIBLE COMPROMISE

One of the most common indications that a machine has been compromised by 
these or similar vulnerabilities are links from a world writable directory 
(such as /tmp) to a system file (such as /.rhosts) in a directory requiring 
root privilege to write or create files there, and /.rhosts files with ++ at 
the beginning of any line. If you should find a similar link or file, your 
system has likely been compromised and should be thoroughly checked for other 
traces of the intruder. For more information on the use of the .rhosts file, 
see the hosts.equiv man page on your system.
______________________________________________________________________________

PROBLEM

The problem is that the listed programs do a suid to root allowing them to run 
with root privilege even though they were started by a normal user. They then 
create or open files without first checking the type and ownership of those 
files. By careful manipulation of the name, location and contents of these 
files, system files can be changed to give a normal user root access or system 
owned files can be damaged or deleted.
______________________________________________________________________________

SOLUTION

For those packages where a patch exists, the patch should be obtained from HP 
and installed on the system. For problems where a patch does not exist yet, 
the files or packages in question should be either removed or the permissions 
changed so that only the root user can run them. By far, the best solution to 
these problems is to remove the packages in question. Most of the packages are 
for diagnostics or system administration purposes and are not needed by a 
normal user. If they are needed, the permissions should be changed to only 
allow the owner to run them, and to clear the suid bit that permits them to 
run as root. The ownership should also be checked to insure they are owned by 
root.

/usr/diag/bin/DUI (called by /bin/sysdiag) 
- ------------------------------------------

The sysdiag program is the interface to the online diagnostics subsystem. When 
started, this program runs /usr/diag/bin/DUI which is suid root. If you do not 
need to do system diagnostics, you should remove this whole package. The 
package includes all the files in /usr/diag/bin and the file /bin/sysdiag. If 
you need to keep this package, you should change the permissions on all the 
files in /usr/diag/bin and the file /bin/sysdiag to owner only access and 
clear the suid bit. Check that all the files are owned by root. Normal users 
will no longer be able to use sysdiag but the system manager will be able to 
do so when logged in as root.

/usr/perf/bin/glance 
- --------------------

Glance Plus is a performance monitor that is included in most HP-UX system 
installations as a demo package or can be purchased separately. If you do not 
need to do system performance monitoring, you should remove this whole package 
which includes all the files in /usr/perf. An earlier problem with Glance was 
covered in the HP Security Advisory 9405-011 which describes a patch that 
updates Glance to version B.09.01 (700-800) or A.09.07 (300, 400). The current 
vulnerability is not fixed by these updates. If you need to keep this package, 
you should change the permissions of all the files in /usr/perf to owner only 
access and clear the suid bit. Check that the files are owned by root. Normal 
users will no longer be able to use this program but the system manager will 
be able to do so when logged in as root.

/etc/subnetconfig 
- -----------------

The subnetconfig batch file is for setting the subnet behavior of a system. 
Only root can actually change the behavior, but a normal user is able to view 
the current setting by running the program without arguments. A previous 
problem with subnetconfig was described in HP Security Advisory 9402-003, but 
the patch file only applies to HP-UX versions 9.0 and 9.01. The current 
problem is not fixed by that patch. A workaround for this problem is to change 
the permissions of /etc/subnetconfig to owner only access, clear the suid bit 
and check that /etc/subnetconfig is owned by root. Normal users will no longer 
be able to view the current setting but the system manager will still be able 
to change the setting when logged in as root.

/usr/remwatch/* (Remote Watch) 
- ---------------

The Remote Watch package is a system management tool whose capabilities have 
been largely incorporated in the System Administration Manager (SAM). These 
files can not be patched but should be removed as recommended by in HP 
Security Advisory #9610-039 included at the end of this advisory.

/usr/bin/ppl 
- ------------

The ppl application is HP's version of SLIP, a Point-To-Point Serial Linking 
protocol for TCP/IP. To protect a system, the /usr/bin/ppl file should be 
changed to owner only access and the suid bit should be cleared. The ppl 
program will not run unless it is has root privileges, so normal users will 
not be able to use it. This will cause a problem for normal users that are 
using SLIP to gain access to a machine. If ppl is needed for normal 
operations, sites will have to evaluate the risk on a case by case basis until 
a patch is available

/usr/sbin/swinstall 
- -------------------

The swinstall program is a software installer included in most HP-UX 10.x 
systems to speed software installations. When not being used, the program 
should be either removed or disabled to prevent it from being used for 
malicious purposes. To disable the program, change the permissions to owner 
only access and clear the suid bit. Insure that swinstall is owned by root. 
Only root will then be able to do program installations.

/usr/bin/X11/gwind (called by: xwcreate and xwdestroy) 
- ------------------

The gwind program is part of the x-windows system and is called by the 
xwcreate and xwdestroy programs to create or destroy a new x-window. The 
problem with gwind is described in HP Security Bulletin 9410-018. That 
bulletin indicates that patch PHSS_4832 is needed for all systems, but that 
patch has been superseded by the PHSS_5140 patch. Users of all HP-UX 9.x 
systems should download and install PHSS_5140.

______________________________________________________________________________

DISABLING NONUSER FILE ACCESS

In the event that there is no patch available for a particular package and you 
need to keep the package on your system, you must change the file access so 
that only the owner can run it and that the owner is root. To do so, you must 
change the file permissions to owner only access,clear the suid bit, and check 
that the owner is root.

Changing File Access To Owner Only And Clearing suid
- ----------------------------------------------------

To check the permissions and owner of a file, list the file with ls using 
the -l option. 

MyMachine> ls -l /usr/diag/bin/DUI
- -r-sr-xr-x   1 root      bin  14608 Oct 25  1995 DUI

The list of letters on the left shows that the file has read (r) and 
execute (x) access for owner, group and world. Note that the fourth 
character position from the left is an s instead of an x. That letter 
indicates that the suid bit is set and the program can change its uid 
to root. The owner of the file is root as it should be.

To change the access to owner only and clear the suit bit, logon as root 
and use the chmod command as follows. 

MyMachine> chmod 0544 /usr/diag/bin/DUI

If you again list the file, you see that while everyone can still see the 
file, only the owner can execute it and the suid bit is no longer set 
(the s changed to x). 

MyMachine> ls -l /usr/diag/bin/DUI
- -r-xr--r--   1 root      bin  14608 Oct 25  1995 DUI

______________________________________________________________________________

HP Security Advisory On Remote Watch

=============================================================================

- -------------------------------------------------------------------------
      HEWLETT-PACKARD SECURITY ADVISORY: #000039, 24 October 1996
- -------------------------------------------------------------------------

Hewlett-Packard recommends that the information in the following
Security Advisory should be acted upon as soon as possible. Hewlett-
Packard will not be liable for any consequences to any customer resulting
from customer's failure to fully implement instructions in this Security
Advisory as soon as possible.

Permission is granted for copying and circulating this advisory to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the advisory is
not edited or changed in any way, is attributed to HP, and provided such
reproduction and/or distribution is performed for non-commercial
purposes.

Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.

_______________________________________________________________________
PROBLEM:  Vulnerability in HP Remote Watch in 9.X releases of HP-UX
PLATFORM: HP 9000 series 300/400/700/800s
DAMAGE:   Vulnerabilities in HP Remote Watch exists allowing users to
          gain additional privileges.
SOLUTION: Do not use Remote Watch.
_______________________________________________________________________

I. Remote Watch Update

   A. Problem description

   A recent mailing list disclosure described two vulnerabilities in
   which HP Remote Watch allows unauthorized root access. The first was
   via a socket connection on port 5556.  The second was as a result of
   using the showdisk utility, which is part of the Remote Watch product.
   It has been found that HP9000 Series 300, 400, 700, and 800 systems
   running only HP-UX Release 9.X have this vulnerability.

   B. Fixing the problem

   This vulnerability can only be eliminated from releases 9.X of HP-UX
   which are using Remote Watch by disabling the entire product.  The
   default location for this product is /usr/remwatch/   .
   Removal can be accomplished (as root) with the following:

   NOTE: Do not run the standard rmfn command as HP has discovered
   problems with its inability to handle programs with active executables.

   Instead, run (with no options):

            /usr/remwatch/bin/removeall

   This runs a Remote Watch script called "unconfigure" to stop actively
   running programs, then proceeds to remove all files including the
   filesets.

   The administrator should also perform both of the following steps:

     1.  Remove or comment out the following entry in /etc/inetd.conf
         file:

    rwdaemon stream tcp nowait root /usr/remwatch/bin/rwdaemon rwdaemon

     2.  Have inetd re-read its configuration file by executing at the
         prompt:

    inetd -c


   This is the official recommendation from Hewlett-Packard Company.

   C. Current product status

   Remote Watch was last released from the labs in August of 1993.
   In December 1994 customers were informed of pending product
   obsolescence.   Hewlett-Packard recommends that all customers
   concerned with the security of their HP-UX systems with Remote
   Watch configured on it perform the actions described herein as
   soon as possible.  Again, no patches will be available for any
   versions of HP-UX.

   Since the functionality of HP Remote Watch software has now been
   replicated in other tools that handle system management more
   effectively there is no longer a sufficient need for HP Remote
   Watch.  Most of the functionality is now provided by the Systems
   Administration Manager (SAM) tool, available at no charge as part
   of the HP-UX operating system, or by the HP OpenView
   OperationsCenter application.

   If further assistance is desired please contact your HP Support
   Representative.


   D. HP SupportLine

   To subscribe to automatically receive future NEW HP Security
   Bulletins from the HP SupportLine mail service via electronic mail,
   send an email message to:

          support@us.external.hp.com   (no Subject is required)

   Multiple instructions are allowed in the TEXT PORTION OF THE MESSAGE,
   here are some basic instructions you may want to use:

   To add your name to the subscription list for new security bulletins,
   send the following in the TEXT PORTION OF THE MESSAGE:

          subscribe security_info

   To retrieve the index of all HP Security Bulletins issued to date,
   send the following in the TEXT PORTION OF THE MESSAGE:

          send security_info_list

   To get a patch matrix of current HP-UX and BLS security patches
   referenced by either Security Bulletin or Platform/OS, put the
   following in the text portion of your message:

          send hp-ux_patch_matrix

   World Wide Web service for browsing of bulletins is available via
   our URL:
          http://us.external.hp.com

          Choose "Support news", then under Support news,
          choose "Security Bulletins"


   E. To report new security vulnerabilities, send email to

          security-alert@hp.com

   Please encrypt exploit information using the security-alert PGP
   key, available from your local key server, or by sending a
   message with a -subject- (not body) of 'get key' (no quotes) to
   security-alert@hp.com.
====================End of HP Security Advisory====================
______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

G-41: Vulnerability in BASH Program
G-42: Vulnerability in WorkMan Program
G-43: Vulnerabilities in Sendmail 
G-44: SCO Unix Vulnerability 
G-45: Vulnerability in HP VUE 
G-46: Vulnerabilities in Transarc DCE and DFS 
G-47: Unix FLEXlm Vulnerabilities 
G-48: TCP SYN Flooding and IP Spoofing Attacks 
H-01: Vulnerabilities in bash
H-02: SUN's TCP SYN Flooding Solutions

RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95     A comprehensive review of SATAN
Notes 08 - 4/4/95      A Courtney update
Notes 09 - 4/24/95     More on the "Good Times" virus urban legend
Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
                       in S/Key, EBOLA Virus Hoax, and Caibua Virus
Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
                       America On-Line Virus Scare, SPI 3.2.2 Released, 
                       The Die_Hard Virus
Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
                       Windows, beta release of Merlin, Microsoft Word
                       Macro Viruses, Allegations of Inappropriate Data
                       Collection in Win95
Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
                       Conference Announcement, Security and Web Search
                       Engines, Microsoft Word Macro Virus Update<Picture>


-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAgUBMn4nFrnzJzdsy3QZAQGZCAP8DL2AmOi/Pef1Tf5t3sgQwq1izDmspF79
fDpHLChnQsn3AGp7eGA83/ma7EdgiemxGxE5/PtexsB2eY6xglbIbbRJ+dI0h8bf
GPAJDsWVpyPb2K7DI8JAhmeNR7yVWBls/2LXRNRy7hn86QhdlPwnfloZrw8n8PJO
qhGQLRFHtw4=
=DkbS
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH