AusCERT - AA-97.07 -- HP-UX ppl core dump vulnerability

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AA-97.07 -- HP-UX ppl core dump vulnerability
Date: 26 November 1997

Click here for printable version
===========================================================================
AA-97.07                        AUSCERT Advisory
                        HP-UX ppl core dump vulnerability
                                 24 April 1997

Last Revised: --  26 November 1997
                  REVISED 01 Hewlett-Packard Security bulletin replaced in 
		  Appendix A.

		  A complete revision history is at the end of this file.

---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the ppl(1)
program under HP-UX 9.x and 10.x.

This vulnerability may allow local users to gain root privileges.

Exploit information involving this vulnerability has been made publicly
available.

Vendor patches have been released addressing this vulnerability.

AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

This advisory will be updated as more information becomes available.
---------------------------------------------------------------------------

1.  Description

    AUSCERT has received information that a vulnerability exists in the
    HP-UX ppl(1) program used to perform point-to-point serial networking
    using SLIP or CSLIP.

    ppl is a setuid root program.  While ppl is executing with root
    privileges, it is possible for local users to force ppl to core dump.
    As users have the ability to manipulate the location of the core, this
    vulnerability may be used to create or overwrite any file on the
    system.

    This vulnerability is known to exist in HP-UX 9.x and 10.x.

    Exploit information involving this vulnerability has been made publicly
    available.

    The default location for ppl under HP-UX 9.x and 10.x is /usr/bin.

2.  Impact

    Local users may be able to create or overwrite arbitrary files on the
    system. This can be leveraged to gain root privileges.

3.  Workarounds/Solution

    Official vendor patches have been released by Hewlett-Packard which
    address this vulnerability (Section 3.1).  

    Until the patches recommended by Hewlett-Packard can be applied,
    AUSCERT recommends that sites prevent the exploitation of the
    vulnerability in ppl by immediately applying the workaround given in
    Section 3.2.

    If the ppl functionality is required for non privileged users and the
    patches cannot be applied immediately, AUSCERT recommends that access
    be restricted to a trusted set of users as given in Section 3.3.

3.1 Install vendor patches

    Hewlett-Packard has released a security bulletin, containing patch
    information, addressing the vulnerability described in this advisory.
    The original release of this bulletin has been appended in Appendix A.

    AUSCERT recommends that sites apply the patches given in this bulletin
    immediately.

3.2 Remove setuid and execute permissions

    Until official vendor patches are applied, sites should remove the
    setuid root and execute permissions from ppl. To do this, the following
    command should be run as root:

        # chmod 400 /usr/bin/ppl
        # ls -l /usr/bin/ppl
        -r--------   1 root bin        98304 Jan 24 08:13 /usr/bin/ppl

    Note that this will remove the ability for any user to run this
    program.

3.3 Restrict ppl access

    If the ppl functionality is required by a small set of trusted users
    and the patches released by Hewlett-Packard cannot be applied, sites
    may wish to restrict the execution of ppl to that group of users.
    For example, if the Unix group "trusted" exists and contains only
    those users allowed to use the ppl functionality, the following
    commands will restrict its use:

        # chgrp trusted /usr/bin/ppl
        # chmod 4550 /usr/bin/ppl
        # ls -l /usr/bin/ppl
        -r-sr-x---   1 root trusted    98304 Jan 24 08:13 /usr/bin/ppl

    Note access to any account in the "trusted" group will allow the ppl
    package to be exploited.

4.  Previous patches

    During the installation of HP-UX patches, copies of files being
    replaced are saved in case the patches need to be backed out of. The
    original versions of patched files are stored in the following
    locations:

        HP-UX 9.x:      /system/<PATCH-NAME>/orig/
        HP-UX 10.x:     /var/adm/sw/patch/<PATCH_NAME>/

    If patches for vulnerable programs have been previously installed,
    copies of the vulnerable programs may be available in the above
    locations.  Sites should ensure the directories have permissions
    which restrict access to the patch areas.

5.  Additional measures

    Most Unix systems ship with numerous programs which have setuid or
    setgid privileges.  Often the functionality supplied by these
    privileged programs is not required by many sites. The large number
    of privileged programs that are shipped by default are to cater for
    all possible uses of the system.

    AUSCERT encourages sites to examine all the setuid/setgid programs
    and determine the necessity of each program.  If a program does not
    absolutely require the setuid/setgid privileges to operate (for
    example, it is only run by the root user),  the setuid/setgid
    privileges should be removed.  Furthermore, if a program is not
    required at your site, then all execute permissions should be removed.

    A sample command to find all setuid/setgid programs is (run as root):

       # find / ( -perm -4000 -o -perm -2000 ) -type f -exec ls -l {} ;

    It is AUSCERT's experience that many vulnerability are being discovered
    in setuid/setgid programs which are not necessary for the correct
    operation of most systems.  Sites can increase their security
    by removing unnecessary setuid/setgid programs.

    For example, the functionality provided by the ppl program is
    not needed by many sites.  If sites had previously disabled this
    program, they would not have been susceptible to this latest
    vulnerability.

..............................................................................

Appendix A

----------------------BEGIN HP SECURITY BULLETIN -------------------------

-------------------------------------------------------------------------------

Document ID:  HPSBUX9704-057
Date Loaded:  971124
      Title:  Security Vulnerability in ppl command

-------------------------------------------------------------------------
**REVISED 01** HEWLETT-PACKARD SECURITY BULLETIN: #00057, 22 April 1997
Last Revised:   24 November 1997
-------------------------------------------------------------------------

The information in the following Security Bulletin should be acted upon
as soon as possible.  Hewlett-Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.

-------------------------------------------------------------------------
PROBLEM:  Security Vulnerability in [/usr]/bin/ppl

PLATFORM: HP 9000 Series 700/800s running HP-UX releases 9.X & 10.X

DAMAGE:   Vulnerability exists that could allow local users to gain
          root privileges.

SOLUTION: Apply patch:
**REVISED 01**
          PHNE_13179 for all platforms with HP-UX releases 9.X,
          PHNE_13180 for all platforms with HP-UX releases 10.00 & 10.01,
          PHNE_13181 for all platforms with HP-UX release 10.10,
          PHNE_13182 for all platforms with HP-UX release 10.20,
          PHNE_12499 for all platforms with HP-UX release 10.30.

AVAILABILITY: All patches are currently available.

CHANGE SUMMARY: This bulletin revision references new & improved patches.
-------------------------------------------------------------------------
I.
   A. Background
      A vulnerability in the ppl executable ([/usr]/bin/ppl) exists.
      (Detailed in AUSCERT Advisory AA-97.07).

   B. Fixing the problem
**REVISED 01**

      The vulnerability can be eliminated from HP-UX releases 9.X and
      up to and including 10.30, by applying the appropriate patch.

   C. Recommended solution
**REVISED 01**

      1. Determine which patch is appropriate for your operating
         system.  HP-UX version 10.00 users are encouraged to upgrade
         to HP-UX version 10.01 or above.
         NOTE: HP-UX release 10.24 (VVOS) is not vulnerable.


         World Wide Web service for downloading of patches is available
         for free by registered users via our URL at the Electronic
         Support Center (ESC).  (See Section E below).

      2. Apply the patch to your HP-UX system.

      3. Examine /tmp/update.log (9.X), or /var/adm/sw/swinstall.log
         (10.X), for any relevant WARNING's or ERROR's.

   D. Impact of the patch
      The patches for HP-UX releases 9.X and 10.X provide enhancements
      to the ppl executable to avoid this vulnerability.


   E. To subscribe to automatically receive future NEW HP Security
      Bulletins from the HP ESC via electronic mail, and to download
      patches for free by registered users.do the following:

   User your browser to get to the HP Electronic Support Center page at:

      http://us-support.external.hp.com
      (for US, Canada, Asia-Pacific, & Latin-America)

      http://europe-support.external.hp.com
      (for Europe)

   Click on the Technical Knowledge Database, register as a user
   (remember to save the User ID assigned to you, and your password),
   and it will connect to a HP Search Technical Knowledge DB page.
   Near the bottom is a hyperlink to our Security Bulletin archive.
   Once in the archive there is another link to our current
   security patch matrix. Updated daily, this matrix is categorized
   by platform/OS release, and by bulletin topic.


   F. To report new security vulnerabilities, send email to

          security-alert@hp.com

      Please encrypt any exploit information using the security-alert
      PGP key, available from your local key server, or by sending a
      message with a -subject- (not body) of 'get key' (no quotes) to
      security-alert@hp.com.


     Permission is granted for copying and circulating this Bulletin to
     Hewlett-Packard (HP) customers (or the Internet community) for the
     purpose of alerting them to problems, if and only if, the Bulletin
     is not edited or changed in any way, is attributed to HP, and
     provided such reproduction and/or distribution is performed for
     non-commercial purposes.

     Any other use of this information is prohibited. HP is not liable
     for any misuse of this information by any third party.
________________________________________________________________________
-----End of Document ID:  HPSBUX9704-057--------------------------------------

----------------------- END HP SECURITY BULLETIN ----------------------------

..............................................................................

---------------------------------------------------------------------------
AUSCERT thanks Hewlett-Packard for their continued assistance and technical
expertise essential for the production of this advisory.
---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History

26 Nov 1997     Hewlett-Packard has released the REVISED 01 version of their 
                security bulletin addressing this vulnerability in the ppl 
		program. This ha been replaced in Appendix A. 
		Updated AUSCERT's contact details.

24 Apr 1997     Hewlett-Packard has released a security bulletin addressing
		this vulnerability in the ppl program. This was appended
		in Appendix A. Section 3 was modified to include this
		information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~