Date: 14 May 1997
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-96.13 AUSCERT Advisory
HP-UX passwd Buffer Overrun Vulnerability
28 November 1996
Last Revised: 14 May 1997
The location of overflow_wrapper.c has changed. Section
3 was updated to show this.
A complete revision history is at the end of this file.
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the
passwd(1) program under HP-UX 9.x and HP-UX 10.x.
This vulnerability may allow local users to gain root privileges.
Exploit information involving this vulnerability has been made
publicly available.
Vendor patches have been released addressing this vulnerability.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
- ---------------------------------------------------------------------------
1. Description
AUSCERT has received information that a vulnerability exists in the
HP-UX passwd(1) program.
This vulnerability is known to affect HP-UX 9.x and 10.x.
Due to insufficient bounds checking on arguments which are supplied
by users, it is possible to overwrite the internal stack space of the
passwd program while it is executing. By supplying a carefully
designed argument to the passwd program, intruders may be able to
force passwd to execute arbitrary commands. As passwd is setuid
root, it may allow intruders to run arbitrary commands with root
privileges.
By default, a dynamically linked version of the passwd program is
found in /bin under HP-UX 9.x and in /usr/bin under HP-UX 10.x. A
statically linked version is also available under HP-UX 10.x and is
located in /sbin.
Exploit information involving this vulnerability has been made
publicly available.
2. Impact
Local users may gain root privileges.
3. Workarounds/Solution
Official vendor patches have been released by Hewlett-Packard which
address this vulnerability (Section 3.1).
If the patches recommended by Hewlett-Packard cannot be applied,
AUSCERT recommends that sites limit the possible exploitation of this
vulnerability by immediately applying the workarounds given in Sections
3.2.1 and 3.2.2. Sites using either HP-UX 9.x or HP-UX 10.x will need
to apply the workaround given in Section 3.2.1. In addition, sites
using HP-UX 10.x will also need to apply the workaround given in
Section 3.2.2.
3.1 Install vendor patches
Hewlett-Packard has released a security bulletin, containing patch
information, addressing the vulnerability described in this advisory.
The original release of this bulletin has been appended in Appendix A.
A current version of this security bulletin can be retrieved from:
http://us.external.hp.com:80/search/bin/wwwsdoc.pl?DOCID=HPSBUX9701-045
AUSCERT recommends that sites apply the patches given in this bulletin
immediately.
3.2.1 Install passwd wrapper
For those sites unable to install the patches supplied by
Hewlett-Packard, AUSCERT has developed a wrapper to help prevent
programs from being exploited using the vulnerability described in
this advisory. This wrapper, including installation instructions,
can be found at:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c
This wrapper replaces the passwd program and checks the length of the
command line arguments which are passed to it. If an argument exceeds
a certain predefined value (MAXARGLEN), the wrapper exits without
executing the passwd command. The wrapper program can also be
configured to syslog any failed attempts to execute passwd with
arguments exceeding MAXARGLEN. For further instructions on using this
wrapper, please read the comments at the top of overflow_wrapper.c.
When compiling overflow_wrapper.c for use with HP-UX passwd, AUSCERT
recommends defining MAXARGLEN to be 64.
The MD5 checksum for the current version of overflow_wrapper.c can
be retrieved from:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM
AUSCERT recommends that until vendor patches can be installed,
sites apply this workaround.
The overflow_wrapper.c program provides functionality identical to
passwd_wrapper.c included in the previous version of this advisory.
Sites that have already installed passwd_wrapper.c do not need to
install overflow_wrapper.c.
Sites using HP-UX 10.x will need to additionally apply the workaround
given in Section 3.2.2.
3.2.2 Remove setuid and non-root execute permissions on /sbin/passwd
Under HP-UX 10.x, a statically linked copy of the passwd program is
located in /sbin. This copy of the passwd program is available for
root to use when only the root partition is mounted, for example, when
in single user mode. There is no need for non-root users to use this
copy of the passwd program, so setuid and non-root execute permissions
should be removed.
# ls -l /sbin/passwd
-r-sr-xr-x 1 root bin 487424 Jun 10 17:00 /sbin/passwd
# chmod 500 /sbin/passwd
# ls -l /sbin/passwd
-r-x------ 1 root bin 487424 Jun 10 17:00 /sbin/passwd
Note this will remove the ability for non-root users to execute
/sbin/passwd.
4. Additional measures
During the installation of HP-UX patches, copies of files being
replaced are saved in case the patches need to be backed out of. The
original versions of patched files are stored in the following
locations:
HP-UX 9.x: /system/<PATCH-NAME>/orig/
HP-UX 10.x: /var/adm/sw/patch/PATCH_NAME>/
If patches for vulnerable programs have been previously installed,
copies of the vulnerable programs may be available in the above
locations. Sites should ensure the directories have permissions
which restrict access to the patch areas.
...........................................................................
Appendix A
- ---------------------BEGIN HP SECURITY ADVISORY----------------------------
- -------------------------------------------------------------------------
**REVISED 01**HEWLETT-PACKARD SECURITY BULLETIN: #00045, 08 January 1997
- -------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
- -------------------------------------------------------------------------
PROBLEM: Security Vulnerabilities in the password command
PLATFORM: HP 9000 Series 700/800s running versions of HP-UX 9.X & 10.X
DAMAGE: Vulnerabilities exists allowing local users to gain root
privileges.
SOLUTION: **REVISED 01**Apply patch:
PHCO_9742 Series 800 for HP-UX releases 9.0 and 9.04
PHCO_9743 Series 700 for HP-UX releases 9.01, 9.03, 9.05 & 9.07
PHCO_9640 Series 700/800 for HP-UX releases 10.00,10.01,10.10
PHCO_9641 Series 700/800 for HP-UX releases 10.20
AVAILABILITY: Patches for HP-UX 9.X will be available only after 08 Jan
1997, while the 10.X patches are available now.
- -------------------------------------------------------------------------
I.
A. Background
A vulnerability with the password command (/etc/passwd) has been
discovered.
B. Fixing the problem
The vulnerability can be eliminated from HP-UX releases 9.X and
10.X by applying the appropriate patch.
NOTE: There are patch dependencies for certain HP-UX 10.X versions
of the new password command. Install the new libsec patches
listed below in addition to actual command patch.
- on HP9000 Series 700/800 running HP-UX 10.10
install PHCO_9640 and PHCO_7634,
- on HP9000 Series 700/800 running HP-UX 10.00 and 10.01
install PHCO_9640 and PHCO_7635,
- on HP9000 Series 700/800 running HP-UX 10.20
there is no such dependency.
C. Recommended solution
1. Determine which patch(es) are appropriate for your hardware
platform and operating system.
2. Hewlett-Packard's HP-UX patches are available via email
and the World Wide Web
To obtain a copy of the Hewlett-Packard SupportLine email
service user's guide, send the following in the TEXT PORTION
OF THE MESSAGE to support@us.external.hp.com (no Subject
is required):
send guide
The users guide explains the HP-UX patch downloading process
via email and other services available.
World Wide Web service for downloading of patches
is available via our URL:
(http://us.external.hp.com)
3. Apply the patch(es) to your HP-UX system.
4. Examine /tmp/update.log (9.X), or /var/adm/sw/swinstall.log
(10.X), for any relevant WARNING's or ERROR's.
D. Impact of the patch
The patches for HP-UX releases 9.X and 10.X provide enhancements
to the password command and related library functions to avoid
this vulnerability.
E. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP SupportLine Digest service via electronic
mail, do the following:
1) From your Web browser, access the URL:
http://us-support.external.hp.com (US,Canada,
Asia-Pacific, and Latin-America)
http://europe-support.external.hp.com (Europe)
2) On the HP Electronic Support Center main screen, select
the hyperlink "Support Information Digests".
3) On the "Welcome to HP's Support Information Digests" screen,
under the heading "Register Now", select the appropriate hyperlink
"Americas and Asia-Pacific", or "Europe".
4) On the "New User Registration" screen, fill in the fields for
the User Information and Password and then select the button labeled
"Submit New User".
5) On the "User ID Assigned" screen, select the hyperlink
"Support Information Digests".
** Note what your assigned user ID and password are for future
reference.
6) You should now be on the "HP Support Information Digests Main"
screen. You might want to verify that your email address is correct
as displayed on the screen. From this screen, you may also
view/subscribe to the digests, including the security bulletins
digest.
To get a patch matrix of current HP-UX and BLS security
patches referenced by either Security Bulletin or Platform/OS,
click on following screens in order:
Technical Knowledge Database
Browse Security Bulletins
Security Bulletins Archive
HP-UX Security Patch Matrix
F. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin is
not edited or changed in any way, is attributed to HP, and provided
such reproduction and/or distribution is performed for non-commercial
purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
- -----------------------END HP SECURITY ADVISORY----------------------------
...........................................................................
- ---------------------------------------------------------------------------
AUSCERT thanks Hewlett-Packard for their continued assistance and technical
expertise essential for the production of this advisory. AUSCERT also
thanks Information Technology Services of the University of Southern
Queensland, Albert Lunde (Northwestern University) and CERT/CC for
their assistance.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
14 May 1997 The location of overflow_wrapper.c has changed. Section
3 was updated to show this.
14 Jan 1997 Hewlett-Packard released a security bulletin addressing
this vulnerability in the passwd program. This was
appended in Appendix A. Section 3 was modified to inform
people to apply vendor patches if possible.
4 Dec 1996 /sbin/passwd, a statically linked version of the passwd
program, was also found to be vulnerable under HP-UX 10.x.
The workarounds given in this advisory were updated to
include removing non-root execution of this program.
Replace passwd_wrapper program given in Appendix A with
a pointer to overflow_wrapper.c, a general wrapper program
designed to help prevent programs being exploited through
buffer overrun vulnerabilities. This new wrapper program
provides functionality identical to that of
passwd_wrapper.c, distributed with the original advisory.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM3mtcCh9+71yA2DNAQGiUwP/YQfVqcvEBbBuBukszUAtfMyWmQX9Yp8B
i8olutviZlSfPtOf6IeNui/i1RkdsN+boH/vwmjSMKspt6kny1M19ITcJ2VDUCy3
8AcL05XBSNtZiBxmrjxYXorBIiRrMOseRc1dCoxrKpk7ux5swFAp1ZUVgeusEs/D
DMW3mYFAxeQ=
=N+4V
-----END PGP SIGNATURE-----
|