-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
HP-UX_suid_Vulnerabilities
November 4, 1996 16:00 GMT Number H-03
______________________________________________________________________________
PROBLEM: Several HP-UX system utilities are suid root and when run,
they open and write log or other files to disk. Using this
feature, normal users can add or change privileged system files
that then compromise system security and allow those users to
gain root access or to destroy files. The following system
utilities are known to have this problem.
/usr/diag/bin/DUI (/etc/sysdiag)
/usr/perf/bin/glance
/etc/subnetconfig
Remote Watch /usr/remwatch/*
/usr/bin/ppl
/usr/sbin/swinstall
/usr/bin/X11/gwind (called by: xwcreate and xwdestroy)
PLATFORM: HP-UX all versions
DAMAGE: Unprivileged users can get root or destroy files.
SOLUTION: Remove the indicated programs or packages or turn off the
suid bit on the indicated programs until a patch is
available.
______________________________________________________________________________
VULNERABILITY Using these vulnerabilities, any normal user can compromise
ASSESSMENT: security and get root access to a system or can destroy system
owned files.
______________________________________________________________________________
HP-UX suid Vulnerabilities
CIAC has learned that attack scripts are circulating around the Internet that
show how to compromise system security using the listed system programs. These
scripts allow a normal user to gain root access or to destroy system owned
files.
Several of the vulnerabilities exploited by these scripts have already been
patched by existing Hewlett Packard (HP) security patches, but it has come to
our attention that many installed systems have not been patched. Users should
realize that just because you have installed a new HP computer or upgraded the
operating system on an existing one does not mean that all the relevant
security patches have been installed.
If you are using an HP-UX system, you are advised to check the HP Security
Advisories at http://us.external.hp.com for ones that apply to your particular
system. You should then download and install any indicated security patches
before putting your machine into production. Be sure to check the patch itself
to see if the patch only applies to an earlier version of HP-UX or if the
patch has been updated to be applied to the later version as well. This update
may not be indicated in the security bulletin.
This bulletin lists the programs being exploited and the HP security bulletins
that describe the patches required to correct the indicated problems. For
those problems that do not have a bulletin or patch, this bulletin contains
some workarounds to protect a system until patches are available from HP. CIAC
will distribute notices of new patches from HP when they become available.
Note that we do not expect to see patches for any of the older products that
have been superseded by newer ones.
Several of the problems described here apply to diagnostics and system
management tools that most normal users will never use. All such tools are
included in a newly installed system, but can be removed after the
installation has completed if they are not needed, returning a significant
amount of disk space to the user. If you don't need a package, delete it. If
you find you need it in the future, you can always reinstall it. The System
Administration Manager (SAM) program is very useful in this regard as it can
remove or install complete filesets.
______________________________________________________________________________
INDICATIONS OF A POSSIBLE COMPROMISE
One of the most common indications that a machine has been compromised by
these or similar vulnerabilities are links from a world writable directory
(such as /tmp) to a system file (such as /.rhosts) in a directory requiring
root privilege to write or create files there, and /.rhosts files with ++ at
the beginning of any line. If you should find a similar link or file, your
system has likely been compromised and should be thoroughly checked for other
traces of the intruder. For more information on the use of the .rhosts file,
see the hosts.equiv man page on your system.
______________________________________________________________________________
PROBLEM
The problem is that the listed programs do a suid to root allowing them to run
with root privilege even though they were started by a normal user. They then
create or open files without first checking the type and ownership of those
files. By careful manipulation of the name, location and contents of these
files, system files can be changed to give a normal user root access or system
owned files can be damaged or deleted.
______________________________________________________________________________
SOLUTION
For those packages where a patch exists, the patch should be obtained from HP
and installed on the system. For problems where a patch does not exist yet,
the files or packages in question should be either removed or the permissions
changed so that only the root user can run them. By far, the best solution to
these problems is to remove the packages in question. Most of the packages are
for diagnostics or system administration purposes and are not needed by a
normal user. If they are needed, the permissions should be changed to only
allow the owner to run them, and to clear the suid bit that permits them to
run as root. The ownership should also be checked to insure they are owned by
root.
/usr/diag/bin/DUI (called by /bin/sysdiag)
- ------------------------------------------
The sysdiag program is the interface to the online diagnostics subsystem. When
started, this program runs /usr/diag/bin/DUI which is suid root. If you do not
need to do system diagnostics, you should remove this whole package. The
package includes all the files in /usr/diag/bin and the file /bin/sysdiag. If
you need to keep this package, you should change the permissions on all the
files in /usr/diag/bin and the file /bin/sysdiag to owner only access and
clear the suid bit. Check that all the files are owned by root. Normal users
will no longer be able to use sysdiag but the system manager will be able to
do so when logged in as root.
/usr/perf/bin/glance
- --------------------
Glance Plus is a performance monitor that is included in most HP-UX system
installations as a demo package or can be purchased separately. If you do not
need to do system performance monitoring, you should remove this whole package
which includes all the files in /usr/perf. An earlier problem with Glance was
covered in the HP Security Advisory 9405-011 which describes a patch that
updates Glance to version B.09.01 (700-800) or A.09.07 (300, 400). The current
vulnerability is not fixed by these updates. If you need to keep this package,
you should change the permissions of all the files in /usr/perf to owner only
access and clear the suid bit. Check that the files are owned by root. Normal
users will no longer be able to use this program but the system manager will
be able to do so when logged in as root.
/etc/subnetconfig
- -----------------
The subnetconfig batch file is for setting the subnet behavior of a system.
Only root can actually change the behavior, but a normal user is able to view
the current setting by running the program without arguments. A previous
problem with subnetconfig was described in HP Security Advisory 9402-003, but
the patch file only applies to HP-UX versions 9.0 and 9.01. The current
problem is not fixed by that patch. A workaround for this problem is to change
the permissions of /etc/subnetconfig to owner only access, clear the suid bit
and check that /etc/subnetconfig is owned by root. Normal users will no longer
be able to view the current setting but the system manager will still be able
to change the setting when logged in as root.
/usr/remwatch/* (Remote Watch)
- ---------------
The Remote Watch package is a system management tool whose capabilities have
been largely incorporated in the System Administration Manager (SAM). These
files can not be patched but should be removed as recommended by in HP
Security Advisory #9610-039 included at the end of this advisory.
/usr/bin/ppl
- ------------
The ppl application is HP's version of SLIP, a Point-To-Point Serial Linking
protocol for TCP/IP. To protect a system, the /usr/bin/ppl file should be
changed to owner only access and the suid bit should be cleared. The ppl
program will not run unless it is has root privileges, so normal users will
not be able to use it. This will cause a problem for normal users that are
using SLIP to gain access to a machine. If ppl is needed for normal
operations, sites will have to evaluate the risk on a case by case basis until
a patch is available
/usr/sbin/swinstall
- -------------------
The swinstall program is a software installer included in most HP-UX 10.x
systems to speed software installations. When not being used, the program
should be either removed or disabled to prevent it from being used for
malicious purposes. To disable the program, change the permissions to owner
only access and clear the suid bit. Insure that swinstall is owned by root.
Only root will then be able to do program installations.
/usr/bin/X11/gwind (called by: xwcreate and xwdestroy)
- ------------------
The gwind program is part of the x-windows system and is called by the
xwcreate and xwdestroy programs to create or destroy a new x-window. The
problem with gwind is described in HP Security Bulletin 9410-018. That
bulletin indicates that patch PHSS_4832 is needed for all systems, but that
patch has been superseded by the PHSS_5140 patch. Users of all HP-UX 9.x
systems should download and install PHSS_5140.
______________________________________________________________________________
DISABLING NONUSER FILE ACCESS
In the event that there is no patch available for a particular package and you
need to keep the package on your system, you must change the file access so
that only the owner can run it and that the owner is root. To do so, you must
change the file permissions to owner only access,clear the suid bit, and check
that the owner is root.
Changing File Access To Owner Only And Clearing suid
- ----------------------------------------------------
To check the permissions and owner of a file, list the file with ls using
the -l option.
MyMachine> ls -l /usr/diag/bin/DUI
- -r-sr-xr-x 1 root bin 14608 Oct 25 1995 DUI
The list of letters on the left shows that the file has read (r) and
execute (x) access for owner, group and world. Note that the fourth
character position from the left is an s instead of an x. That letter
indicates that the suid bit is set and the program can change its uid
to root. The owner of the file is root as it should be.
To change the access to owner only and clear the suit bit, logon as root
and use the chmod command as follows.
MyMachine> chmod 0544 /usr/diag/bin/DUI
If you again list the file, you see that while everyone can still see the
file, only the owner can execute it and the suid bit is no longer set
(the s changed to x).
MyMachine> ls -l /usr/diag/bin/DUI
- -r-xr--r-- 1 root bin 14608 Oct 25 1995 DUI
______________________________________________________________________________
HP Security Advisory On Remote Watch
=============================================================================
- -------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY ADVISORY: #000039, 24 October 1996
- -------------------------------------------------------------------------
Hewlett-Packard recommends that the information in the following
Security Advisory should be acted upon as soon as possible. Hewlett-
Packard will not be liable for any consequences to any customer resulting
from customer's failure to fully implement instructions in this Security
Advisory as soon as possible.
Permission is granted for copying and circulating this advisory to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the advisory is
not edited or changed in any way, is attributed to HP, and provided such
reproduction and/or distribution is performed for non-commercial
purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
_______________________________________________________________________
PROBLEM: Vulnerability in HP Remote Watch in 9.X releases of HP-UX
PLATFORM: HP 9000 series 300/400/700/800s
DAMAGE: Vulnerabilities in HP Remote Watch exists allowing users to
gain additional privileges.
SOLUTION: Do not use Remote Watch.
_______________________________________________________________________
I. Remote Watch Update
A. Problem description
A recent mailing list disclosure described two vulnerabilities in
which HP Remote Watch allows unauthorized root access. The first was
via a socket connection on port 5556. The second was as a result of
using the showdisk utility, which is part of the Remote Watch product.
It has been found that HP9000 Series 300, 400, 700, and 800 systems
running only HP-UX Release 9.X have this vulnerability.
B. Fixing the problem
This vulnerability can only be eliminated from releases 9.X of HP-UX
which are using Remote Watch by disabling the entire product. The
default location for this product is /usr/remwatch/ .
Removal can be accomplished (as root) with the following:
NOTE: Do not run the standard rmfn command as HP has discovered
problems with its inability to handle programs with active executables.
Instead, run (with no options):
/usr/remwatch/bin/removeall
This runs a Remote Watch script called "unconfigure" to stop actively
running programs, then proceeds to remove all files including the
filesets.
The administrator should also perform both of the following steps:
1. Remove or comment out the following entry in /etc/inetd.conf
file:
rwdaemon stream tcp nowait root /usr/remwatch/bin/rwdaemon rwdaemon
2. Have inetd re-read its configuration file by executing at the
prompt:
inetd -c
This is the official recommendation from Hewlett-Packard Company.
C. Current product status
Remote Watch was last released from the labs in August of 1993.
In December 1994 customers were informed of pending product
obsolescence. Hewlett-Packard recommends that all customers
concerned with the security of their HP-UX systems with Remote
Watch configured on it perform the actions described herein as
soon as possible. Again, no patches will be available for any
versions of HP-UX.
Since the functionality of HP Remote Watch software has now been
replicated in other tools that handle system management more
effectively there is no longer a sufficient need for HP Remote
Watch. Most of the functionality is now provided by the Systems
Administration Manager (SAM) tool, available at no charge as part
of the HP-UX operating system, or by the HP OpenView
OperationsCenter application.
If further assistance is desired please contact your HP Support
Representative.
D. HP SupportLine
To subscribe to automatically receive future NEW HP Security
Bulletins from the HP SupportLine mail service via electronic mail,
send an email message to:
support@us.external.hp.com (no Subject is required)
Multiple instructions are allowed in the TEXT PORTION OF THE MESSAGE,
here are some basic instructions you may want to use:
To add your name to the subscription list for new security bulletins,
send the following in the TEXT PORTION OF THE MESSAGE:
subscribe security_info
To retrieve the index of all HP Security Bulletins issued to date,
send the following in the TEXT PORTION OF THE MESSAGE:
send security_info_list
To get a patch matrix of current HP-UX and BLS security patches
referenced by either Security Bulletin or Platform/OS, put the
following in the text portion of your message:
send hp-ux_patch_matrix
World Wide Web service for browsing of bulletins is available via
our URL:
http://us.external.hp.com
Choose "Support news", then under Support news,
choose "Security Bulletins"
E. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt exploit information using the security-alert PGP
key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
====================End of HP Security Advisory====================
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 510-422-8193
FAX: +1 510-423-8002
STU-III: +1 510-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
Modem access: +1 (510) 423-4753 (28.8K baud)
+1 (510) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending
E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36
You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body
containing the line: send first-contacts.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
G-41: Vulnerability in BASH Program
G-42: Vulnerability in WorkMan Program
G-43: Vulnerabilities in Sendmail
G-44: SCO Unix Vulnerability
G-45: Vulnerability in HP VUE
G-46: Vulnerabilities in Transarc DCE and DFS
G-47: Unix FLEXlm Vulnerabilities
G-48: TCP SYN Flooding and IP Spoofing Attacks
H-01: Vulnerabilities in bash
H-02: SUN's TCP SYN Flooding Solutions
RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)
Notes 07 - 3/29/95 A comprehensive review of SATAN
Notes 08 - 4/4/95 A Courtney update
Notes 09 - 4/24/95 More on the "Good Times" virus urban legend
Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
in S/Key, EBOLA Virus Hoax, and Caibua Virus
Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators,
America On-Line Virus Scare, SPI 3.2.2 Released,
The Die_Hard Virus
Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X
Windows, beta release of Merlin, Microsoft Word
Macro Viruses, Allegations of Inappropriate Data
Collection in Win95
Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST
Conference Announcement, Security and Web Search
Engines, Microsoft Word Macro Virus Update<Picture>
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAgUBMn4nFrnzJzdsy3QZAQGZCAP8DL2AmOi/Pef1Tf5t3sgQwq1izDmspF79
fDpHLChnQsn3AGp7eGA83/ma7EdgiemxGxE5/PtexsB2eY6xglbIbbRJ+dI0h8bf
GPAJDsWVpyPb2K7DI8JAhmeNR7yVWBls/2LXRNRy7hn86QhdlPwnfloZrw8n8PJO
qhGQLRFHtw4=
=DkbS
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
