Date: 12 November 1996
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-96.09 AUSCERT Advisory
HP-UX SYSDIAG Online Diagnostics Subsystem Vulnerability
12 November 1996
Last Revised: --
- ---------------------------------------------------------------------------
AUSCERT has received information that there is a vulnerability in the
SYSDIAG Online Diagnostics Subsystem supplied by Hewlett Packard. This
vulnerability is present under both HP-UX 9.x and 10.x
This vulnerability may allow local users to gain root privileges.
Exploit details involving this vulnerability have been widely distributed.
Official patches may be released by Hewlett Packard to address this
vulnerability in the future. Until patches are made available, AUSCERT
recommends that sites take the actions suggested in Section 3.1.
This advisory will be updated when vendor patches are made available.
- ---------------------------------------------------------------------------
1. Description
The HP SYSDIAG Online Diagnostics Subsystem enables users to run
online diagnostic programs to diagnose suspected system hardware
problems.
Some programs supplied with the SYSDIAG package create files in
an insecure manner. As these programs execute with root
privileges, it is possible to create arbitrary files on the system.
The SYSDIAG subsystem may be installed under both HP-UX 9.x and 10.x.
The default location of the programs used by the SYSDIAG package
differs between the 9.x and 10.x releases of the operating system.
To determine if the SYSDIAG programs are installed, sites should check
for the presence of the program "sysdiag".
Under HP-UX 9.x:
% ls -l /bin/sysdiag
Under HP-UX 10.x:
% ls -l /usr/sbin/sysdiag
Individual sites are encouraged to check their systems for the SYSDIAG
package, and if installed, take the actions recommended in Section 3.
2. Impact
Local users may be able to create arbitrary files on the system. This
may be leveraged to gain root privileges.
3. Workarounds/Solution
AUSCERT recommends that sites prevent the possible exploitation of
this vulnerability by immediately applying the workaround given in
Section 3.1.
Currently there are no vendor patches available that address this
vulnerability. AUSCERT recommends that official vendor patches be
installed when they are made available.
3.1 Remove setuid permissions
Until official vendor patches are made available, sites should
remove the setuid root permissions from the vulnerable programs. To
do this, the following commands should be run as root:
Under HP-UX 9.x
# chmod u-s /bin/sysdiag
# chmod u-s /usr/diag/bin/*
Under HP-UX 10.x
# chmod u-s /usr/sbin/sysdiag
# chmod u-s /usr/sbin/diag/*
Note that this will restrict non-root users from using the SYSDIAG
subsystem diagnostic tools.
When using any of the SYSDIAG subsystem programs as root, system
administrators should ensure that they do not use the "outfile"
sub-command to write files in world writable directories. Writing
files in such directories may leave the system open to exploitation
of this vulnerability.
- ---------------------------------------------------------------------------
AUSCERT thanks Hewlett-Packard for their continued assistance and technical
expertise essential for the production of this advisory. Thanks also to
Viviani Paz (The University of Queensland) for her assistance in this
matter.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMohljih9+71yA2DNAQEY/wP+NyRvPnVOuP4aR7pQKaGKuhqGRIx7fya7
+DAEQ7xwD4Bc0uaKUnkj58fOBSmTh8BBqSFZMASKw8dh0BFIf+166kSKw1S6bJhk
fvlWacxFWkxgM4SWnEszVW+jGrfXrTwkE2xtW3mpDN4EKvC4K6VTH4QdF2/4lK0t
6SdIb+Rm7iA=
=yMkL
-----END PGP SIGNATURE-----
|