copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
» AA-96.18 -- HP-UX chfn Buffer Overrun Vulnerability
AA-96.18 -- HP-UX chfn Buffer Overrun Vulnerability
Date:
14 May 1997
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AA-96.18 AUSCERT Advisory HP-UX chfn Buffer Overrun Vulnerability 9 December 1996 Last Revised: 14 May, 1997 The location of overflow_wrapper.c has changed. Section 3 was updated to show this. A complete revision history is at the end of this file. - --------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in the chfn(1) program under HP-UX 9.x and 10.x. This vulnerability may allow local users to gain root privileges. Exploit information involving this vulnerability has been made publicly available. Vendor patches have been released addressing this vulnerability. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. - --------------------------------------------------------------------------- 1. Description AUSCERT has received information that a vulnerability exists in the HP-UX chfn(1) program. The chfn command is used to change user information in the password file, and is installed by default. Due to insufficient bounds checking on arguments which are supplied by users, it is possible to overwrite the internal stack space of the chfn program while it is executing. By supplying a carefully designed argument to the chfn program, intruders may be able to force chfn to execute arbitrary commands. As chfn is setuid root, this may allow intruders to run arbitrary commands with root privileges. This vulnerability is known to affect both HP-UX 9.x and 10.x. By default, chfn is located in /usr/bin under both HP-UX 9.x and 10.x. Exploit information involving this vulnerability has been made publicly available. 2. Impact Local users may gain root privileges. 3. Workarounds/Solution Official vendor patches have been released by Hewlett-Packard which address this vulnerability (Section 3.1). If the patches recommended by Hewlett-Packard cannot be applied, AUSCERT recommends that sites limit the possible exploitation of this vulnerability by immediately removing the setuid permissions as stated in Section 3.2. If the chfn command is required, AUSCERT recommends the chfn wrapper program given in Section 3.3 be installed. 3.1 Install vendor patches Hewlett-Packard has released a security bulletin, containing patch information, addressing the vulnerability described in this advisory. The original release of this bulletin has been appended in Appendix A. A current version of this security bulletin can be retrieved from: http://us.external.hp.com:80/search/bin/wwwsdoc.pl?DOCID=HPSBUX9701-049 AUSCERT recommends that sites apply the patches given in this bulletin immediately. 3.2 Remove setuid and non-root execute permissions To prevent the exploitation of the vulnerability described in the advisory, AUSCERT recommends that the setuid permissions be removed from the chfn program immediately. As the chfn program will no longer work for non-root users, it is recommended that the execute permissions also be removed. Before doing so, the original permissions for chfn should be noted as they will be needed if sites choose to install the chfn wrapper program (Section 3.2). For example: # ls -l /usr/bin/chfn -r-sr-xr-x 1 root bin 20480 Jun 10 1996 /usr/bin/chfn # chmod 500 /usr/bin/chfn # ls -l /usr/bin/chfn -r-x------ 1 root bin 20480 Jun 10 1996 /usr/bin/chfn Note that this will remove the ability for any non-root user to run the chfn program. 3.3 Install chfn wrapper AUSCERT has developed a wrapper program to help prevent programs from being exploited using the vulnerability described in this advisory. This wrapper, including installation instructions, can be found at: ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c This replaces the chfn program with a wrapper which checks the length of the command line arguments passed to it. If an argument exceeds a certain predefined value (MAXARGLEN), the wrapper exits without executing the chfn command. The wrapper program can also be configured to syslog any failed attempts to execute chfn with arguments exceeding MAXARGLEN. For further instructions on using this wrapper, please read the comments at the top of overflow_wrapper.c. When compiling overflow_wrapper.c for use with HP-UX chfn, AUSCERT recommends defining MAXARGLEN to be 16. The MD5 checksum for the current version of overflow_wrapper.c can be retrieved from: ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM AUSCERT recommends that until vendor patches can be installed, sites requiring the chfn functionality apply this workaround. 4. Additional measures Most Unix systems ship numerous programs which have setuid or setgid privileges. Often the functionality supplied by these privileged programs is not required by many sites. The large number of privileged programs that are shipped by default are to cater for all possible uses of the system. AUSCERT encourages sites to examine all the setuid/setgid programs and determine the necessity of each program. If a program does not absolutely require the setuid/setgid privileges to operate (for example, it is only run by the root user), the setuid/setgid privileges should be removed. Furthermore, if a program is not required at your site, then all execute permissions should be removed. A sample command to find all setuid/setgid programs is (run as root): # find / ( -perm -4000 -o -perm -2000 ) -exec ls -ld {} ; It is AUSCERT's experience that many vulnerabilities are being discovered in setuid/setgid programs which are not necessary for the correct operation of most systems. Sites can increase their security by removing unnecessary setuid/setgid programs. For example, the functionality provided by the chfn program is not needed by many sites since the user information stored in the password file, which chfn is used to change, is typically static. If sites had previously disabled the chfn program, they would not have been vulnerable to this latest exploit. ........................................................................... Appendix A - ---------------------BEGIN HP SECURITY ADVISORY---------------------------- - ------------------------------------------------------------------------- HEWLETT-PACKARD SECURITY BULLETIN: #00049, 09 January 1997 - ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett Packard will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. - ------------------------------------------------------------------------- PROBLEM: Security vulnerability in the chfn executable PLATFORM: HP 9000 Series 700/800s running versions of HP-UX 9.X & 10.X DAMAGE: Vulnerabilities exists allowing local users to gain root privileges. SOLUTION: Apply patch: PHCO_9595 for all platforms with HP-UX releases 9.X PHCO_9596 for all platforms with HP-UX releases 10.00/10.01/10.10 PHCO_9597 for all platforms with HP-UX releases 10.20 AVAILABILITY: All patches are available now. - ------------------------------------------------------------------------- I. A. Background A vulnerability with the chfn command (/usr/bin/chfn) has been discovered. B. Fixing the problem The vulnerability can be eliminated from HP-UX releases 9.X and 10.X by applying the appropriate patch. C. Recommended solution 1. Determine which patch are appropriate for your operating system. 2. Hewlett-Packard's HP-UX patches are available via email and the World Wide Web To obtain a copy of the Hewlett-Packard SupportLine email service user's guide, send the following in the TEXT PORTION OF THE MESSAGE to support@us.external.hp.com (no Subject is required): send guide The users guide explains the HP-UX patch downloading process via email and other services available. World Wide Web service for downloading of patches is available via our URL: (http://us.external.hp.com) 3. Apply the patch to your HP-UX system. 4. Examine /tmp/update.log (9.X), or /var/adm/sw/swinstall.log (10.X), for any relevant WARNING's or ERROR's. D. Impact of the patch The patches for HP-UX releases 9.X and 10.X provide enhancements to the chfn executable to avoid this vulnerability. E. To subscribe to automatically receive future NEW HP Security Bulletins from the HP SupportLine Digest service via electronic mail, do the following: 1) From your Web browser, access the URL: http://us-support.external.hp.com (US,Canada, Asia-Pacific, and Latin-America) http://europe-support.external.hp.com (Europe) 2) On the HP Electronic Support Center main screen, select the hyperlink "Support Information Digests". 3) On the "Welcome to HP's Support Information Digests" screen, under the heading "Register Now", select the appropriate hyperlink "Americas and Asia-Pacific", or "Europe". 4) On the "New User Registration" screen, fill in the fields for the User Information and Password and then select the button labeled "Submit New User". 5) On the "User ID Assigned" screen, select the hyperlink "Support Information Digests". ** Note what your assigned user ID and password are for future reference. 6) You should now be on the "HP Support Information Digests Main" screen. You might want to verify that your email address is correct as displayed on the screen. From this screen, you may also view/subscribe to the digests, including the security bulletins digest. To get a patch matrix of current HP-UX and BLS security patches referenced by either Security Bulletin or Platform/OS, click on following screens in order: Technical Knowledge Database Browse Security Bulletins Security Bulletins Archive HP-UX Security Patch Matrix F. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. - ----------------------END HP SECURITY ADVISORY----------------------------- ........................................................................... - --------------------------------------------------------------------------- AUSCERT thanks Hewlett-Packard for their continued assistance and technical expertise essential for the production of this advisory. - --------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History 14 May 1997 The location of overflow_wrapper.c has changed. Section 3 was updated to show this. 22 Jan 1997 Hewlett-Packard released a security bulletin addressing this vulnerability in the passwd program. This was appended in Appendix A. Section 3 was modified to inform people to apply vendor patches if possible. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBM7PA2yh9+71yA2DNAQEogwQAmUcGoIu0v68mDDKBKZGZg5NGSY/gE5aa IXud1JCx2keKNnJna7G4p+CFEII/QkhC+hqJN+J6hGncG2FrVT3REtH5rrTnHIos mfLwFuD/Rg7v1t2MZBdFwerVrVYssZWMnZmUEPn06qo35FaGNmpeW2VSbGhGmDT0 6IC534+Apag= =g8Oh -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1&it=1871