Date: 13 March 1997
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-97.04 AUSCERT Advisory
HP-UX vgdisplay Buffer Overrun Vulnerability
7 February 1997
Last Revised: 13 March 1997
Added HP Security bulletin in Appendix A.
Changed Section 3 to include vendor patches information.
A complete revision history is at the end of this file.
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the
vgdisplay(1M) program which is part of the Logical Volume Manager subsystem
under HP-UX 10.x.
This vulnerability may allow local users to gain root privileges.
Exploit information involving this vulnerability has been made publicly
available.
as possible.
Vendor patches have been released addressing this vulnerability.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
- ---------------------------------------------------------------------------
1. Description
The HP-UX Logical Volume Manager (LVM) is a subsystem for managing
disk space. It comprises a number of auxiliary programs used to
create, display and manipulate the LVM information.
AUSCERT has received information that a vulnerability exists in the
vgdisplay(1M) program used to display information about LVM volume
groups.
Due to insufficient bounds checking on arguments which are supplied
by users, it is possible to overwrite the internal stack space of the
vgdisplay program while it is executing. By supplying a carefully
designed argument to the vgdisplay program, intruders may be able to
force vgdisplay to execute arbitrary commands. As vgdisplay is setuid
root, this may allow intruders to run arbitrary commands with root
privileges.
This vulnerability is known to affect HP-UX 10.x.
Note that many of the LVM utility programs are hard links to
vgdisplay(1M). This indicates that these utility programs share the
same code with vgdisplay, and may also be subject to similar attacks.
The following programs are all hard links: lvchange, lvcreate,
lvdisplay, lvextend, lvlnboot, lvreduce, lvremove, lvrmboot, pvchange,
pvcreate, pvdisplay, pvmove, vgcfgbackup, vgcfgrestore, vgchange,
vgcreate, vgdisplay, vgexport, vgextend, vgimport, vgreduce, vgremove,
vgscan.
By default, dynamically linked versions of the LVM programs are found
in /usr/sbin under HP-UX 10.x. Statically linked versions are also
available under HP-UX 10.x in /sbin.
Exploit information involving this vulnerability has been made
publicly available.
2. Impact
Local users may gain root privileges.
3. Workarounds/Solution
Official vendor patches have been released by Hewlett-Packard which
address this vulnerability (Section 3.1).
If the patches recommended by Hewlett-Packard cannot be applied,
AUSCERT recommends that sites limit the possible exploitation of this
vulnerability by immediately removing the setuid permissions as stated
in Section 3.2.
3.1 Install vendor patches
Hewlett-Packard has released a security bulletin, containing patch
information, addressing the vulnerability described in this advisory.
The original release of this bulletin has been appended in Appendix A.
A current version of this security bulletin can be retrieved from:
http://us.external.hp.com/search/bin/wwwsdoc.pl?DOCID=HPSBUX9702-056
AUSCERT recommends that sites apply the patches given in this bulletin
immediately.
3.2 Remove setuid and non-root execute permissions
To prevent the exploitation of the vulnerability described in this
advisory, AUSCERT recommends that the setuid permissions be removed
from the vgdisplay program immediately. Note that permission changes
to vgdisplay will also affect those LVM utility programs which are
hard links to vgdisplay.
As the vgdisplay and related programs will no longer work for non-root
users, it is recommended that the execute permissions also be removed.
Sites will need to restrict permissions on both the dynamically linked
copies in /usr/sbin and the statically linked copies in /sbin.
First, restrict permissions on the copies in /usr/sbin. For example:
# ls -l /usr/sbin/vgdisplay
-r-sr-xr-x 23 root sys 376832 Jun 10 1996 /usr/sbin/vgdisplay
# chmod 500 /usr/sbin/vgdisplay
# ls -l /usr/sbin/vgdisplay
-r-x------ 23 root sys 376832 Jun 10 1996 /usr/sbin/vgdisplay
Second, restrict permissions on the copies in /sbin. For example:
# ls -l /sbin/vgdisplay
-r-sr-xr-x 23 root sys 606208 Jun 10 1996 /sbin/vgdisplay
# chmod 500 /sbin/vgdisplay
# ls -l /sbin/vgdisplay
-r-x------ 23 root sys 606208 Jun 10 1996 /sbin/vgdisplay
Note that this will remove the ability for any non-root user to run
vgdisplay or any of the LVM utility programs which are hard linked to
vgdisplay.
4. Previous patches
During the installation of HP-UX patches, copies of files being
replaced are saved in case the patches need to be backed out of. The
original versions of patched files are often stored in the following
location:
HP-UX 10.x: /var/adm/sw/patch/<PATCH_NAME>/
If patches for vulnerable programs have been previously installed,
copies of the vulnerable programs may be available in the above
location. Sites should ensure the directories have permissions
which restrict access to the patch areas.
5. Additional measures
Most Unix systems ship numerous programs which have setuid or
setgid privileges. Often the functionality supplied by these
privileged programs is not required by many sites. The large number
of privileged programs that are shipped by default are to cater for
all possible uses of the system.
AUSCERT encourages sites to examine all the setuid/setgid programs
and determine the necessity of each program. If a program does not
absolutely require the setuid/setgid privileges to operate (for
example, it is only run by the root user), the setuid/setgid
privileges should be removed. Furthermore, if a program is not
required at your site, then all execute permissions should be removed.
A sample command to find all setuid/setgid programs is (run as root):
# find / ( -perm -4000 -o -perm -2000 ) -exec ls -ld {} ;
It is AUSCERT's experience that many vulnerabilities are being
discovered in setuid/setgid programs which are not necessary for the
correct operation of most systems. Sites can increase their security
by removing unnecessary setuid/setgid programs.
...........................................................................
Appendix A
- ----------------------BEGIN HP SECURITY ADVISORY----------------------------
- -------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: #00056, 20 February 1997
- -------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
- -------------------------------------------------------------------------
PROBLEM: Vulnerability in vgdisplay command
PLATFORM: HP 9000 Series 700/800s running HP-UX release 10.X
DAMAGE: Allows local user unauthorized root access.
SOLUTION: Apply the following patch:
PHCO_10048 on all platforms with HP-UX releases 10.20,
PHCO_10059 on all platforms with HP-UX releases 10.10,
PHCO_10060 on all platforms with HP-UX releases 10.01,
PHCO_10061 on all platforms with HP-UX releases 10.00,
PHCO_10052 on all platforms with HP-UX releases 10.24.
NOTE: HP-UX release 9.X is not affected.
AVAILABILITY: All patches are available now.
- -------------------------------------------------------------------------
I.
A. Background
Hewlett-Packard has learned of the need for patches on the LVM
command vgdisplay.
B. Recommended solution
The system administrator needs to obtain and apply the pathes
mentioned above.
C. Impact of the patch
The patch is a cumulative LVM command and fully fixes the
vulnerability.
D. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP SupportLine Digest service via electronic
mail, do the following:
1) From your Web browser, access the URL:
http://us-support.external.hp.com (US,Canada,
Asia-Pacific, and Latin-America)
http://europe-support.external.hp.com (Europe)
2) On the HP Electronic Support Center main screen, select
the hyperlink "Support Information Digests".
3) On the "Welcome to HP's Support Information Digests" screen,
under the heading "Register Now", select the appropriate hyperlink
"Americas and Asia-Pacific", or "Europe".
4) On the "New User Registration" screen, fill in the fields for
the User Information and Password and then select the button
labeled "Submit New User".
5) On the "User ID Assigned" screen, select the hyperlink
"Support Information Digests".
** Note what your assigned user ID and password are for future
reference.
6) You should now be on the "HP Support Information Digests Main"
screen. You might want to verify that your email address is
correct as displayed on the screen. From this screen, you may
also view/subscribe to the digests, including the security
bulletins digest.
To get a patch matrix of current HP-UX and BLS security
patches referenced by either Security Bulletin or Platform/OS,
click on following screens in order:
Technical Knowledge Database
Browse Security Bulletins
Security Bulletins Archive
HP-UX Security Patch Matrix
E. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin is
not edited or changed in any way, is attributed to HP, and provided
such reproduction and/or distribution is performed for non-commercial
purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
- -----------------------END HP SECURITY ADVISORY-----------------------------
...........................................................................
- ---------------------------------------------------------------------------
AUSCERT thanks Hewlett-Packard for their continued assistance and technical
expertise essential for the production of this advisory.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
13 Mar 1997 Hewlett-Packard released a security bulletin addressing
this vulnerability in the passwd program. This was
appended in Appendix A. Section 3 was modified to inform
people to apply vendor patches if possible.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMygOnyh9+71yA2DNAQFowAP+LzBg6dZ41el8TXlBdzm23efkUhjfj4fL
EJWugJBLB5SKjz1v5sovYKphqyw8PmTE4FxOwdtG5Je75EOMDaKiXKYwUmZVTMdE
O/+6FikpbRh2TPVNJTdi9pPBLZHkXVR0P0ai5mNfChSqO4f6QVQVtamHjTCO5/cq
9aogtv6rDM0=
=fLUw
-----END PGP SIGNATURE-----
|