|
Hello, In this letter you will find the result of a brief security audit that we did some time ago for HP-UX platform. We have found 8 vulnerabilities (seven local and a remote one). Technical details about all of the vulnerabilities were sent to the HP security team few months ago and in all cases appropriate security patches are available. For each vulnerability we have written a proof of concept code. Some of them are available for download right now, the remaining ones will be published in the near future (they are also available in special cases upon well justified requests). All proof of concept codes have been written for HP-UX 10.20 platform. 1. /usr/sbin/lanadmin /usr/sbin/landiag The vulnerability in the lanadmin and landiag programs is caused by improper handling of the TERM environment variable in the setupterm() function - it copies this variable without any size checking into the stack buffer with the use of strcpy function. This bug can be triggered by invoking lanadmin or landiag program with TERM environment variable set to a long string value. When appropriately exploited it can lead to a local root compromise of a vulnerable system. 2. /opt/sharedprint/bin/pcltotiff There exists a buffer overflow vulnerability in the command line parsing code portion of the pcltotiff program. This bug can be triggered by invoking pcltotiff program with a long string argument passed with the -t command line option. During program execution, this argument is further insecurely copied into the stack buffer with the use of strcpy() function and without any size checking. When appropriately exploited this bug can lead to privilege elevation attack as group id of bin can be gained on a vulnerable system. 3. rpc.yppasswdd The rpc.yppasswdd service is typically instaled with NIS (Network Information Service) subsystem. The purpose of this service is to handle password change requests from yppasswd program. In the HP-UX operating system, the rpc.yppasswdd is installed as RPC service number 100009. We have found that there exists the same security vulnerability in HP-UX rpc.yppasswdd like in Solaris operating system (Bulletin Number #00209). This vulnerability can be remotely exploited to gain unauthorised access to the target HP-UX system with administrative (root user) privileges. The vulnerability can be triggered by sending carefully crafted string argument to the YPPASSWDPROC_UPDATE function. This function has two arguments: a character string and a passwd struct (in our proof of concept ode we only send a string instead of the whole structure), which stand for respectively the oldpass and passwd struct (in our case pw_name string). In the changepasswd() function the pw_name field of the passwd structure is copied to a fixed buffer with the use of strcpy() function call. As this call is done without any checking of the string length and boundaries, program stack can be overwritten in a result of a buffer overflow condition. Below you can see a detailed trace log from our bptrace tool, which clearly illustrates the rpc.yppasswdd execution path that leads to the overflow condition. [21110] 0x00012a98 1 changepasswd() [21110] 0x00025480 1 memset(0xffbefa30,0,40) [21110] 0x00014448 1 xdr_yppasswd() [21110] 0x00025738 1 xdr_wrapstring() [21110] 0x00014374 1 xdr_passwd() [21110] 0x00025744 1 xdr_uid_t() [21110] 0x00025750 1 xdr_gid_t() [21110] 0x000126b4 1 validstr() [21110] 0x0002545c 1 strlen("") [21110] 0x000255b8 1 strchr("",':') [21110] 0x000126b4 2 validstr() [21110] 0x000126b4 3 validstr() [21110] 0x00025474 1 strcmp("udp","ticlts") .... [21110] 0x00025438 1 strcpy(0xffbef9d8,"overlfow string with shellcode") 4. /usr/lib/X11/Xserver/ucode/screens/hp/rs.F3000 This vulnerability results from bad coding practices, specifically the way system() function call is used throughout the code of rs.F30002 program. This function call is used by rs.F30002 for invoking external programs (like rm) without specifying their absolute path. If PATH environment variable is appropriately set prior to such an unsafe system() call invocation, user programs can be executed at elevated privileges (user=daemon). 5. /usr/bin/stmkfont Simple buffer overflow vulnerability exists in the command line parsing code portion of the stmkfont program. This bug can be triggered by invoking stmkfont program with a long string argument. When appropriately exploited it can lead to privilege elevation attack as group id of bin can be gained on a vulnerable system. 6. /usr/bin/uucp The buffer overflow vulnerability exists in the command line parsing code portion of the uucp program. This bug can be triggered by invoking uucp program with a long string argument as option. When appropriately exploited it can lead to the privilege elevation attack as user id of uucp can be gained on a vulnerable system. 7. /usr/bin/uusub The buffer overflow vulnerability exists in the command line parsing code portion of the uusub program. This bug can be triggered by invoking uusub program with a long string argument passed with -a command line option. When appropriately exploited it can lead to the privilege elevation attack as user id of uucp can can be gained on a vulnerable system. Best Regards, Members of LSD Research Group <http://lsd-pl.net>