AusCERT - AA-96.13 -- HP-UX passwd Buffer Overrun Vulnerability

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AA-96.13 -- HP-UX passwd Buffer Overrun Vulnerability
Date: 14 May 1997

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-96.13                        AUSCERT Advisory
                      HP-UX passwd Buffer Overrun Vulnerability
                                28 November 1996

Last Revised: 	14 May 1997
                The location of overflow_wrapper.c has changed.  Section
                3 was updated to show this.

		A complete revision history is at the end of this file.

- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the
passwd(1) program under HP-UX 9.x and HP-UX 10.x.

This vulnerability may allow local users to gain root privileges.

Exploit information involving this vulnerability has been made 
publicly available.

Vendor patches have been released addressing this vulnerability.

AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

- ---------------------------------------------------------------------------

1.  Description

    AUSCERT has received information that a vulnerability exists in the
    HP-UX passwd(1) program.

    This vulnerability is known to affect HP-UX 9.x and 10.x.

    Due to insufficient bounds checking on arguments which are supplied
    by users, it is possible to overwrite the internal stack space of the
    passwd program while it is executing.  By supplying a carefully
    designed argument to the passwd program, intruders may be able to
    force passwd to execute arbitrary commands.  As passwd is setuid
    root, it may allow intruders to run arbitrary commands with root
    privileges.

    By default, a dynamically linked version of the passwd program is
    found in /bin under HP-UX 9.x and in /usr/bin under HP-UX 10.x.  A
    statically linked version is also available under HP-UX 10.x and is
    located in /sbin.

    Exploit information involving this vulnerability has been made 
    publicly available.

2.  Impact

    Local users may gain root privileges.

3.  Workarounds/Solution

    Official vendor patches have been released by Hewlett-Packard which
    address this vulnerability (Section 3.1).

    If the patches recommended by Hewlett-Packard cannot be applied,
    AUSCERT recommends that sites limit the possible exploitation of this
    vulnerability by immediately applying the workarounds given in Sections
    3.2.1 and 3.2.2.  Sites using either HP-UX 9.x or HP-UX 10.x will need
    to apply the workaround given in Section 3.2.1.  In addition, sites
    using HP-UX 10.x will also need to apply the workaround given in
    Section 3.2.2.

3.1 Install vendor patches

    Hewlett-Packard has released a security bulletin, containing patch
    information, addressing the vulnerability described in this advisory.
    The original release of this bulletin has been appended in Appendix A.  
    A current version of this security bulletin can be retrieved from:

       http://us.external.hp.com:80/search/bin/wwwsdoc.pl?DOCID=HPSBUX9701-045

    AUSCERT recommends that sites apply the patches given in this bulletin 
    immediately.

3.2.1 Install passwd wrapper

    For those sites unable to install the patches supplied by
    Hewlett-Packard, AUSCERT has developed a wrapper to help prevent
    programs from being exploited using the vulnerability described in
    this advisory.  This wrapper, including installation instructions,
    can be found at:

ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c

    This wrapper replaces the passwd program and checks the length of the
    command line arguments which are passed to it.  If an argument exceeds
    a certain predefined value (MAXARGLEN), the wrapper exits without
    executing the passwd command.  The wrapper program can also be
    configured to syslog any failed attempts to execute passwd with
    arguments exceeding MAXARGLEN.  For further instructions on using this
    wrapper, please read the comments at the top of overflow_wrapper.c.

    When compiling overflow_wrapper.c for use with HP-UX passwd, AUSCERT
    recommends defining MAXARGLEN to be 64.

    The MD5 checksum for the current version of overflow_wrapper.c can
    be retrieved from:

         ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM

    AUSCERT recommends that until vendor patches can be installed,
    sites apply this workaround.

    The overflow_wrapper.c program provides functionality identical to
    passwd_wrapper.c included in the previous version of this advisory.
    Sites that have already installed passwd_wrapper.c do not need to
    install overflow_wrapper.c.

    Sites using HP-UX 10.x will need to additionally apply the workaround
    given in Section 3.2.2.

3.2.2 Remove setuid and non-root execute permissions on /sbin/passwd

    Under HP-UX 10.x, a statically linked copy of the passwd program is
    located in /sbin.  This copy of the passwd program is available for
    root to use when only the root partition is mounted, for example, when
    in single user mode.  There is no need for non-root users to use this
    copy of the passwd program, so setuid and non-root execute permissions
    should be removed.

	# ls -l /sbin/passwd
	-r-sr-xr-x   1 root   bin  487424 Jun 10 17:00 /sbin/passwd

	# chmod 500 /sbin/passwd
	# ls -l /sbin/passwd
	-r-x------   1 root   bin  487424 Jun 10 17:00 /sbin/passwd

    Note this will remove the ability for non-root users to execute
    /sbin/passwd.

4.  Additional measures

    During the installation of HP-UX patches, copies of files being
    replaced are saved in case the patches need to be backed out of.  The
    original versions of patched files are stored in the following
    locations:

	HP-UX 9.x:	/system/<PATCH-NAME>/orig/
	HP-UX 10.x:	/var/adm/sw/patch/PATCH_NAME>/

    If patches for vulnerable programs have been previously installed,
    copies of the vulnerable programs may be available in the above
    locations.  Sites should ensure the directories have permissions
    which restrict access to the patch areas.

...........................................................................

Appendix A

- ---------------------BEGIN HP SECURITY ADVISORY----------------------------

- -------------------------------------------------------------------------
**REVISED 01**HEWLETT-PACKARD SECURITY BULLETIN: #00045, 08 January 1997
- -------------------------------------------------------------------------

The information in the following Security Bulletin should be acted upon
as soon as possible.  Hewlett Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.

- -------------------------------------------------------------------------
PROBLEM:  Security Vulnerabilities in the password command

PLATFORM: HP 9000 Series 700/800s running versions of HP-UX 9.X & 10.X

DAMAGE:   Vulnerabilities exists allowing local users to gain root
          privileges.

SOLUTION: **REVISED 01**Apply patch:
          PHCO_9742 Series 800 for HP-UX releases 9.0 and 9.04
          PHCO_9743 Series 700 for HP-UX releases 9.01, 9.03, 9.05 & 9.07
          PHCO_9640 Series 700/800 for HP-UX releases 10.00,10.01,10.10
          PHCO_9641 Series 700/800 for HP-UX releases 10.20

AVAILABILITY: Patches for HP-UX 9.X will be available only after 08 Jan
          1997, while the 10.X patches are available now.

- -------------------------------------------------------------------------
I.
   A. Background
      A vulnerability with the password command (/etc/passwd) has been
      discovered.

   B. Fixing the problem
      The vulnerability can be eliminated from HP-UX releases 9.X and
      10.X by applying the appropriate patch.

      NOTE: There are patch dependencies for certain HP-UX 10.X versions
            of the new password command.  Install the new libsec patches
            listed below in addition to actual command patch.

           - on HP9000 Series 700/800 running HP-UX 10.10
             install PHCO_9640 and PHCO_7634,

           - on HP9000 Series 700/800 running HP-UX 10.00 and 10.01
             install PHCO_9640 and PHCO_7635,

           - on HP9000 Series 700/800 running HP-UX 10.20
             there is no such dependency.

   C. Recommended solution
      1.  Determine which patch(es) are appropriate for your hardware
          platform and operating system.

      2.  Hewlett-Packard's HP-UX patches are available via email
          and the World Wide Web

          To obtain a copy of the Hewlett-Packard SupportLine email
          service user's guide, send the following in the TEXT PORTION
          OF THE MESSAGE to support@us.external.hp.com (no Subject
          is required):

                               send guide

          The users guide explains the HP-UX patch downloading process
          via email and other services available.

          World Wide Web service for downloading of patches
          is available via our URL:
                  (http://us.external.hp.com)

      3.  Apply the patch(es) to your HP-UX system.

      4.  Examine /tmp/update.log (9.X), or /var/adm/sw/swinstall.log
          (10.X), for any relevant WARNING's or ERROR's.

   D. Impact of the patch
      The patches for HP-UX releases 9.X and 10.X provide enhancements
      to the password command and related library functions to avoid
      this vulnerability.

   E. To subscribe to automatically receive future NEW HP Security
      Bulletins from the HP SupportLine Digest service via electronic
      mail, do the following:

      1)  From your Web browser, access the URL:

      http://us-support.external.hp.com (US,Canada,
      Asia-Pacific, and Latin-America)

      http://europe-support.external.hp.com  (Europe)

      2)  On the HP Electronic Support Center main screen, select
      the hyperlink "Support Information Digests".

      3)  On the "Welcome to HP's Support Information Digests" screen,
      under the heading "Register Now", select the appropriate hyperlink
      "Americas and Asia-Pacific", or "Europe".

      4)  On the "New User Registration" screen, fill in the fields for
      the User Information and Password and then select the button labeled
      "Submit New User".

      5)  On the "User ID Assigned" screen, select the hyperlink
      "Support Information Digests".

      ** Note what your assigned user ID and password are for future
      reference.

      6)  You should now be on the "HP Support Information Digests Main"
      screen.  You might want to verify that your email address is correct
      as displayed on the screen.  From this screen, you may also
      view/subscribe to the digests, including the security bulletins
      digest.

      To get a patch matrix of current HP-UX and BLS security
      patches referenced by either Security Bulletin or Platform/OS,
      click on following screens in order:
         Technical Knowledge Database
         Browse Security Bulletins
         Security Bulletins Archive
         HP-UX Security Patch Matrix

   F. To report new security vulnerabilities, send email to

          security-alert@hp.com

      Please encrypt any exploit information using the security-alert
      PGP key, available from your local key server, or by sending a
      message with a -subject- (not body) of 'get key' (no quotes) to
      security-alert@hp.com.

   Permission is granted for copying and circulating this Bulletin to
   Hewlett-Packard (HP) customers (or the Internet community) for the
   purpose of alerting them to problems, if and only if, the Bulletin is
   not edited or changed in any way, is attributed to HP, and provided
   such reproduction and/or distribution is performed for non-commercial
   purposes.

   Any other use of this information is prohibited.  HP is not liable
   for any misuse of this information by any third party.

- -----------------------END HP SECURITY ADVISORY----------------------------

...........................................................................

- ---------------------------------------------------------------------------
AUSCERT thanks Hewlett-Packard for their continued assistance and technical
expertise essential for the production of this advisory.  AUSCERT also
thanks Information Technology Services of the University of Southern
Queensland, Albert Lunde (Northwestern University) and CERT/CC for
their assistance.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History

14 May 1997     The location of overflow_wrapper.c has changed.  Section
		3 was updated to show this.

14 Jan 1997	Hewlett-Packard released a security bulletin addressing
		this vulnerability in the passwd program.  This was
		appended in Appendix A. Section 3 was modified to inform
		people to apply vendor patches if possible.

4 Dec 1996 	/sbin/passwd, a statically linked version of the passwd
		program, was also found to be vulnerable under HP-UX 10.x.  
		The workarounds given in this advisory were updated to
		include removing non-root execution of this program.

		Replace passwd_wrapper program given in Appendix A with
		a pointer to overflow_wrapper.c, a general wrapper program
		designed to help prevent programs being exploited through
		buffer overrun vulnerabilities.  This new wrapper program
		provides functionality identical to that of
		passwd_wrapper.c, distributed with the original advisory.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBM3mtcCh9+71yA2DNAQGiUwP/YQfVqcvEBbBuBukszUAtfMyWmQX9Yp8B
i8olutviZlSfPtOf6IeNui/i1RkdsN+boH/vwmjSMKspt6kny1M19ITcJ2VDUCy3
8AcL05XBSNtZiBxmrjxYXorBIiRrMOseRc1dCoxrKpk7ux5swFAp1ZUVgeusEs/D
DMW3mYFAxeQ=
=N+4V
-----END PGP SIGNATURE-----