TUCoPS :: HP/UX :: ciach091.txt

HP-UX Large Uids Gids Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----

[ For Public Release ]
             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                   HP-UX Large UID's and GID's Vulnerability
                  Revision to HP 9000 Access in Bulletin H-09

July 31, 1997 21:00 GMT                                            Number H-91
______________________________________________________________________________
PROBLEM:       A vulnerability exists with the use of user or group id's
               greater than 60000.
PLATFORM:      HP 9000 series 700/800 systems running HP-UX version 10.
DAMAGE:        Allows for an increase in capability and unauthorized access.
SOLUTION:      Apply patches listed below.
______________________________________________________________________________
VULNERABILITY  The information on this vulnerability should be acted upon as
ASSESSMENT:    soon as possible. Hewlett Packard will not be liable for any
               consequences to any customer resulting from customer's failure
               to fully implement instructions in this Security Bulletin as
               soon as possible.
______________________________________________________________________________

[ Start Hewlett-Packard Advisory ]

Document ID:  HPSBUX9611-041
Date Loaded:  970730
      Title:  Vulnerability with Large UID's and GID's in HP-UX 10.20

- -------------------------------------------------------------------------
**REVISED 02**HEWLETT-PACKARD SECURITY BULLETIN: #00041, 20 January 1997
Last Revised: 29 July 1997
- -------------------------------------------------------------------------

 The information in the following Security Bulletin should be acted upon
 as soon as possible.  Hewlett Packard will not be liable for any
 consequences to any customer resulting from customer's failure to fully
 implement instructions in this Security Bulletin as soon as possible.

- -------------------------------------------------------------------------

PROBLEM:  Use of user or group id's greater than 60000

PLATFORM: HP 9000 series 700/800 systems running version 10.20

DAMAGE:   Increase in capability and unauthorized access

SOLUTION: **REVISED 01**
          Install PHSS_9343, PHNE_9377, and PHNE_9504.  Then examine
          the system for suid files that may not be safe for a large
          uid/gid system.  Any such files must be certified by their
          providers as safe for use in large uid/gid system.
          **REVISED 02**
          Apply patch PHSS_11309. PHSS_9799, which superseded
          PHSS_9343, inadvertently omitted the fix.
          Do not use PHSS_9799; it is now unavailable.
          Both PHSS_9343 and PHSS_9799 have been superseded by
          PHSS_11309, which does have the fix.

AVAILABILITY: PHSS_9343, PHNE_9377, PHNE_9504 and PHSS_11309 are
              available now.

CHANGE SUMMARY: **REVISED 02**
          One of the patches needed, PHSS_9343 (hpterm) was
          superseded by a patch that omitted the fix, PHSS_9799.
          Do not use PHSS_9799.  It has been superseded by PHSS_11309.

          PHSS_9343 has also been superseded by PHSS_11309.  You can
          continue to use PHSS_9343.  However, PHSS_11309 has additional
          defect fixes and you may want to install it.

          NOTE: You still need to install PHNE_9377 and PHNE_9504 or
          subsequent.  You also need to examine the system for suid
          files that may not be safe for a large uid/gid system.
- -------------------------------------------------------------------------

I.
   A. Background
      Large user and group id's are new features of HP-UX revision 10.20.
      Requirements for a program to work in a large uid/gid system are
      detailed in the 10.20 Release Notes.  In particular the uid or gid
      must not be stored in a short int.  Doing so in a suid program
      can result in an increase in capability, including root access.

      The suid files in the following filesets have been examined and
      are free of the security vulnerability (after installing the
      patches listed above).  This only implies that the files are free
      from the vulnerability.  It does not necessarily mean that the
      programs in that fileset will work properly in a large uid/gid
      system.

         100VG-RUN, AB-NET, AB-RUN, AB-SUPPORT, ACCOUNTNG, AGRM, ASU,
         AUDIO-SRV, CDE-DTTERM, CDE-RUN, CMDS-AUX, CMDS-MIN,
         DCE-CORE-RUN, DDX-FREEDOM, DVC-SRV, DVC-SRV, EDITORS,
         FAX-SER-CMN, FCEISA-RUN, FCHSC-RUN, FDDI6-RUN, FTAM, GLANCE,
         GLANCE, GPM, HPNP-RUN, HPNP-RUN, HPPAK, HPPB100BT-RUN,
         INETSVCS-RUN, LAN-RUN, LMU, LP-SPOOL, LVM-RUN, LVM-RUN,
         MAILERS, MAPCHAN-CMD, MCSE-CORE, MPOWER-CLIENT, NET-RUN,
         NFS-CLIENT, NIS-CLIENT, OM-ADM, OM-BB, OM-CCMOB, OM-CORE,
         OM-DESK, OM-DSYNC, OM-FAX, OM-LC, OM-NOTES, OM-P7,
         OM-PMOVER, OM-RC, OM-SMS, OM-SNOOP, OM-UNIX, OM-X400,
         OMNI-CORE, OTS-RUN, OVNNM-RUN, PHIGS-RUN, PHIGS-RUN,
         PR-INFORMIX, PRM-RUN, RUPDATE, SAM, SCAN-CFG, SD-CMDS,
         SLIP-RUN, SNAP-COMMON, SNAP-RJE, SNAP2-CORE, SNAP2-RJE,
         STAR-RUN, SYS-ADMIN, SYSCOM, TERM-MNGR-MIN, TOKEN1-RUN,
         TOKEN2-RUN, TOKEN3-RUN, UPG-ANALYSIS, UUCP, UX-CORE,
         VUE-RUN, WTNETSCAPE2-RU, X11-RUN-CL, X11-RUN-CTRB, X400-RUN

      Note: The fact that a fileset is missing from the list above
      does not mean it is suspect.  It may mean the fileset contains
      no suid files.  The script below can be used to identify suid
      files that are not contained in known safe filesets.


   B. Fixing the problem

      Install the patches listed above and examine all suid files.
      The following script will identify suspect suid files.
      The provider of any suspect file should be contacted to confirm
      that the program is safe for use in a large uid/gid system.

      Note:  The script was tested on a system with one file system.
      If you have a different configuration (nfs mounted file systems,
      for example), you may want to modify the find(1) command.

      Note:  Some suid files may be listed under the fileset of
      a patch as well as under the primary fileset.  In that case:

        1. Use swlist to find all the instances of each file.

           For example:

            # swlist -l file | grep vueaction
            PHSS_8537.PHSS_8537: /usr/vue/bin/vueaction
            VUE.VUE-MAN: /usr/share/man/man1.Z/vueaction.1
            VUE.VUE-RUN: /usr/vue/bin/vueaction
            # swlist -l file | grep vuehello
            ...


        2. Verify that the primary (non-patch) fileset is on the
           list of large uid/gid safe filesets.  In this case
           VUE-RUN is on the list.

        3. Add the patch fileset (PHSS_8537 in this example) to the
           list of safe filesets in the script below.  For example:

              -e PHSS_8537: \


   C. Recommended solution

#!/bin/sh
echo "###############################################################"
echo "#                                                             #"
echo "#  Finds suid files that are suspect in a large uid/gid       #"
echo "#  system.  Those would be any suid file not in one           #"
echo "#  of the following filesets:                                 #"
echo "#                                                             #"
echo "#100VG-RUN, AB-NET, AB-RUN, AB-SUPPORT, ACCOUNTNG, AGRM, ASU, #"
echo "#AUDIO-SRV, CDE-DTTERM, CDE-RUN, CMDS-AUX, CMDS-MIN,          #"
echo "#DCE-CORE-RUN, DDX-FREEDOM, DVC-SRV, DVC-SRV, EDITORS,        #"
echo "#FAX-SER-CMN, FCEISA-RUN, FCHSC-RUN, FDDI6-RUN, FTAM, GLANCE, #"
echo "#GLANCE, GPM, HPNP-RUN, HPNP-RUN, HPPAK, HPPB100BT-RUN,       #"
echo "#INETSVCS-RUN, LAN-RUN, LMU, LP-SPOOL, LVM-RUN, LVM-RUN,      #"
echo "#MAILERS, MAPCHAN-CMD, MCSE-CORE, MPOWER-CLIENT, NET-RUN,     #"
echo "#NFS-CLIENT, NIS-CLIENT, OM-ADM, OM-BB, OM-CCMOB, OM-CORE,    #"
echo "#OM-DESK, OM-DSYNC, OM-FAX, OM-LC, OM-NOTES, OM-P7,           #"
echo "#OM-PMOVER, OM-RC, OM-SMS, OM-SNOOP, OM-UNIX, OM-X400,        #"
echo "#OMNI-CORE, OTS-RUN, OVNNM-RUN, PHIGS-RUN, PHIGS-RUN,         #"
echo "#PR-INFORMIX, PRM-RUN, RUPDATE, SAM, SCAN-CFG, SD-CMDS,       #"
echo "#SLIP-RUN, SNAP-COMMON, SNAP-RJE, SNAP2-CORE, SNAP2-RJE,      #"
echo "#STAR-RUN, SYS-ADMIN, SYSCOM, TERM-MNGR-MIN, TOKEN1-RUN,      #"
echo "#TOKEN2-RUN, TOKEN3-RUN, UPG-ANALYSIS, UUCP, UX-CORE,         #"
echo "#VUE-RUN, WTNETSCAPE2-RU, X11-RUN-CL, X11-RUN-CTRB, X400-RUN  #"
echo "#                                                             #"
echo "# Note:  This assumes that the patches listed in              #"
echo "#        HP Security Bulletin 41 are installed.               #"
echo "#                                                             #"
echo "# As you qualify other suid files you may want to             #"
echo "# modify this script.                                         #"
echo "#                                                             #"
echo "###############################################################"
td=/tmp/suid_temp
mkdir $td
##########################################################
# find all suid files
##########################################################
echo find all suid files:
echo "find / -type f -perm -u+s -print >$td/suid_files"
find / -type f -perm -u+s -print >$td/suid_files

##########################################################
# list all files in all installed filesets
##########################################################
echo list all files in all installed filesets:
echo "swlist -l file >$td/swlist.file"
swlist -l file >$td/swlist.file

##########################################################
# extract the suid files from the list all files
# in all installed filesets
##########################################################
echo find suspect suid files
grep -Ff $td/suid_files $td/swlist.file > $td/swlist.suid

##########################################################
# make a list of all the filesets containing suid files
##########################################################
awk '{print $1}' $td/swlist.suid | cut -f 2 -d\. \
   | sort -u >$td/suid_filesets

##########################################################
# remove from the list all the filesets known to be
# large uid/gid safe
##########################################################

grep -ve 100VG-RUN:  -e AB-NET:  -e AB-RUN:  -e AB-SUPPORT: \
- -e ACCOUNTNG:  -e AGRM:  -e ASU:  -e AUDIO-SRV:  -e CDE-DTTERM: \
- -e CDE-RUN:  -e CMDS-AUX:  -e CMDS-MIN:  -e DCE-CORE-RUN: \
- -e DDX-FREEDOM:  -e DVC-SRV:  -e DVC-SRV:  -e EDITORS: \
- -e FAX-SER-CMN:  -e FCEISA-RUN:  -e FCHSC-RUN:  -e FDDI6-RUN: \
- -e FTAM:  -e GLANCE:  -e GLANCE:  -e GPM:  -e HPNP-RUN: \
- -e HPNP-RUN:  -e HPPAK:  -e HPPB100BT-RUN:  -e INETSVCS-RUN: \
- -e LAN-RUN:  -e LMU:  -e LP-SPOOL:  -e LVM-RUN:  -e LVM-RUN: \
- -e MAILERS:  -e MAPCHAN-CMD:  -e MCSE-CORE: \
- -e MPOWER-CLIENT:  -e NET-RUN:  -e NFS-CLIENT:  -e NIS-CLIENT: \
- -e OM-ADM:  -e OM-BB:  -e OM-CCMOB:  -e OM-CORE: \
- -e OM-DESK:  -e OM-DSYNC:  -e OM-FAX:  -e OM-LC:  -e OM-NOTES: \
- -e OM-P7:  -e OM-PMOVER:  -e OM-RC:  -e OM-SMS: \
- -e OM-SNOOP:  -e OM-UNIX:  -e OM-X400:  -e OMNI-CORE: \
- -e OTS-RUN:  -e OVNNM-RUN:  -e PHIGS-RUN:  -e PHIGS-RUN: \
- -e PR-INFORMIX:  -e PRM-RUN:  -e RUPDATE:  -e SAM: \
- -e SCAN-CFG:  -e SD-CMDS:  -e SLIP-RUN:  -e SNAP-COMMON: \
- -e SNAP-RJE:  -e SNAP2-CORE:  -e SNAP2-RJE:  -e STAR-RUN: \
- -e SYS-ADMIN:  -e SYSCOM:  -e TERM-MNGR-MIN:  -e TOKEN1-RUN: -e UUCP: \
- -e TOKEN2-RUN:  -e TOKEN3-RUN:  -e UPG-ANALYSIS: \
- -e UX-CORE:  -e VUE-RUN:  -e WTNETSCAPE2-RU:  -e X11-RUN-CL: \
- -e X11-RUN-CTRB:  -e X400-RUN: \
$td/suid_filesets >$td/suid_suspect_filesets

##########################################################
# make a list of all the files in the suspect filesets
##########################################################
grep -Ff $td/suid_suspect_filesets $td/swlist.file \
  >$td/suid_suspect_filesets_files

##########################################################
# extract just the suid files from the suspect filesets
##########################################################

echo "The following suid files are suspect in a large uid/gid system:" \
     >$td/suid_suspect_files
echo "Fileset:       File">>$td/suid_suspect_files
echo "-------------------------------------------" >>$td/suid_suspect_files
grep -Ff $td/suid_files $td/suid_suspect_filesets_files \
  >$td/suid_suspect_files

##########################################################
# suid files that are not in filesets are suspect
##########################################################
for i in `cat $td/suid_files`
do
  count=`grep -c $i $td/swlist.file`
  if [ $count -eq 0 ]
  then
    echo "not_in_a_fileset: $i" >>$td/suid_suspect_files
  fi
done

cat $td/suid_suspect_files
echo "The list of suspect suid files is in $td/suid_suspect_files"
exit
##################### end ###########################################

   D. Impact of the patch
   Installs large uid/gid safe programs.

   E.  To subscribe to automatically receive future NEW HP
   Security Bulletins from the HP SupportLine Digest service via
   electronic mail, do the following:

       1)  From your Web browser, access the URL:

       http://us-support.external.hp.com (US,Canada, Asia-Pacific,
       and Latin-America)

       http://europe-support.external.hp.com  (Europe)

       2)  On the HP Electronic Support Center main screen, select
       the hyperlink "Support Information Digests".

       3)  On the "Welcome to HP's Support Information Digests" screen,
       under the heading "Register Now", select the appropriate
       hyperlink "Americas and Asia-Pacific", or "Europe".

       4)  On the "New User Registration" screen, fill in the fields
       for the User Information and Password and then select the
       button labeled "Submit New User".

       5)  On the "User ID Assigned" screen, select the hyperlink
       "Support Information Digests".

       **Note what your assigned user ID and password are for future
         reference.

       6)  You should now be on the "HP Support Information Digests
       Main" screen.  You might want to verify that your email address
       is correct as displayed on the screen.  From this screen, you
       may also view/subscribe to the digests, including the security
       bulletins digest.

       To get a patch matrix of current HP-UX and BLS security
       patches referenced by either Security Bulletin or Platform/OS,
       click on following screens in order:

         Technical Knowledge Database
         Browse Security Bulletins
         Security Bulletins Archive
         HP-UX Security Patch Matrix


   F. To report new security vulnerabilities, send email to

           security-alert@hp.com

       Please encrypt any exploit information using the security-alert
       PGP key, available from your local key server, or by sending a
       message with a -subject- (not body) of 'get key' (no quotes) to
       security-alert@hp.com.


      Permission is granted for copying and circulating this Bulletin to
      Hewlett-Packard (HP) customers (or the Internet community) for the
      purpose of alerting them to problems, if and only if, the Bulletin
      is not edited or changed in any way, is attributed to HP, and
      provided such reproduction and/or distribution is performed for
      non-commercial purposes.

      Any other use of this information is prohibited. HP is not liable
      for any misuse of this information by any third party.
________________________________________________________________________
- -----End of Document ID:  HPSBUX9611-041--------------------------------------

[ End Hewlett-Packard Advisory ]
______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Hewlett-Packard for the
information contained in this bulletin.
______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (198.128.39.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
        subscribe list-name
  e.g., subscribe ciac-notes

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

H-81: HP-UX swinstall command in SD-UX Vulnerability
H-82: Lynx Temporary Files & Downloading Vulnerabilities
H-83: Solaris ping Vulnerability
H-84: Windows NT NtOpenProcessToken Vulnerability
H-85: INN News Server Vulnerabilities
H-86: ld.so Vulnerability
H-87: HP-UX rlogin Vulnerability
H-88: SGI IRIX talkd Vulnerability
H-89: SunSO talkd Buffer Overrun Vulnerability
H-90: SunOS, Solaris NIS+ Vulnerability


-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBM+IqRbnzJzdsy3QZAQFzjgP7BsivzzunUUUpoIHxq8WM/v50lFLx0Nl7
vIhDLMEVRXfW64vMmPNs3tqauOak0nCt0c87YBGHRuPd8w5/UJ7omhiatrOTe32c
1kpkM3pHAADVY+M9tzF827q+b9IKkkG6x1j/KAVHe0lvtefyHmRAnjfBwHr5iItZ
uSquJsp9agw=
=JGcB
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH