|
|
AA-97.07 -- HP-UX ppl core dump vulnerability |
|
Date: 26 November 1997 Original URL: http://www.auscert.org.au/render.html?cid=1&it=1881 Click here for PGP verifiable version ===========================================================================
AA-97.07 AUSCERT Advisory
HP-UX ppl core dump vulnerability
24 April 1997
Last Revised: -- 26 November 1997
REVISED 01 Hewlett-Packard Security bulletin replaced in
Appendix A.
A complete revision history is at the end of this file.
---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the ppl(1)
program under HP-UX 9.x and 10.x.
This vulnerability may allow local users to gain root privileges.
Exploit information involving this vulnerability has been made publicly
available.
Vendor patches have been released addressing this vulnerability.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
---------------------------------------------------------------------------
1. Description
AUSCERT has received information that a vulnerability exists in the
HP-UX ppl(1) program used to perform point-to-point serial networking
using SLIP or CSLIP.
ppl is a setuid root program. While ppl is executing with root
privileges, it is possible for local users to force ppl to core dump.
As users have the ability to manipulate the location of the core, this
vulnerability may be used to create or overwrite any file on the
system.
This vulnerability is known to exist in HP-UX 9.x and 10.x.
Exploit information involving this vulnerability has been made publicly
available.
The default location for ppl under HP-UX 9.x and 10.x is /usr/bin.
2. Impact
Local users may be able to create or overwrite arbitrary files on the
system. This can be leveraged to gain root privileges.
3. Workarounds/Solution
Official vendor patches have been released by Hewlett-Packard which
address this vulnerability (Section 3.1).
Until the patches recommended by Hewlett-Packard can be applied,
AUSCERT recommends that sites prevent the exploitation of the
vulnerability in ppl by immediately applying the workaround given in
Section 3.2.
If the ppl functionality is required for non privileged users and the
patches cannot be applied immediately, AUSCERT recommends that access
be restricted to a trusted set of users as given in Section 3.3.
3.1 Install vendor patches
Hewlett-Packard has released a security bulletin, containing patch
information, addressing the vulnerability described in this advisory.
The original release of this bulletin has been appended in Appendix A.
AUSCERT recommends that sites apply the patches given in this bulletin
immediately.
3.2 Remove setuid and execute permissions
Until official vendor patches are applied, sites should remove the
setuid root and execute permissions from ppl. To do this, the following
command should be run as root:
# chmod 400 /usr/bin/ppl
# ls -l /usr/bin/ppl
-r-------- 1 root bin 98304 Jan 24 08:13 /usr/bin/ppl
Note that this will remove the ability for any user to run this
program.
3.3 Restrict ppl access
If the ppl functionality is required by a small set of trusted users
and the patches released by Hewlett-Packard cannot be applied, sites
may wish to restrict the execution of ppl to that group of users.
For example, if the Unix group "trusted" exists and contains only
those users allowed to use the ppl functionality, the following
commands will restrict its use:
# chgrp trusted /usr/bin/ppl
# chmod 4550 /usr/bin/ppl
# ls -l /usr/bin/ppl
-r-sr-x--- 1 root trusted 98304 Jan 24 08:13 /usr/bin/ppl
Note access to any account in the "trusted" group will allow the ppl
package to be exploited.
4. Previous patches
During the installation of HP-UX patches, copies of files being
replaced are saved in case the patches need to be backed out of. The
original versions of patched files are stored in the following
locations:
HP-UX 9.x: /system/<PATCH-NAME>/orig/
HP-UX 10.x: /var/adm/sw/patch/<PATCH_NAME>/
If patches for vulnerable programs have been previously installed,
copies of the vulnerable programs may be available in the above
locations. Sites should ensure the directories have permissions
which restrict access to the patch areas.
5. Additional measures
Most Unix systems ship with numerous programs which have setuid or
setgid privileges. Often the functionality supplied by these
privileged programs is not required by many sites. The large number
of privileged programs that are shipped by default are to cater for
all possible uses of the system.
AUSCERT encourages sites to examine all the setuid/setgid programs
and determine the necessity of each program. If a program does not
absolutely require the setuid/setgid privileges to operate (for
example, it is only run by the root user), the setuid/setgid
privileges should be removed. Furthermore, if a program is not
required at your site, then all execute permissions should be removed.
A sample command to find all setuid/setgid programs is (run as root):
# find / ( -perm -4000 -o -perm -2000 ) -type f -exec ls -l {} ;
It is AUSCERT's experience that many vulnerability are being discovered
in setuid/setgid programs which are not necessary for the correct
operation of most systems. Sites can increase their security
by removing unnecessary setuid/setgid programs.
For example, the functionality provided by the ppl program is
not needed by many sites. If sites had previously disabled this
program, they would not have been susceptible to this latest
vulnerability.
..............................................................................
Appendix A
----------------------BEGIN HP SECURITY BULLETIN -------------------------
-------------------------------------------------------------------------------
Document ID: HPSBUX9704-057
Date Loaded: 971124
Title: Security Vulnerability in ppl command
-------------------------------------------------------------------------
**REVISED 01** HEWLETT-PACKARD SECURITY BULLETIN: #00057, 22 April 1997
Last Revised: 24 November 1997
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett-Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
-------------------------------------------------------------------------
PROBLEM: Security Vulnerability in [/usr]/bin/ppl
PLATFORM: HP 9000 Series 700/800s running HP-UX releases 9.X & 10.X
DAMAGE: Vulnerability exists that could allow local users to gain
root privileges.
SOLUTION: Apply patch:
**REVISED 01**
PHNE_13179 for all platforms with HP-UX releases 9.X,
PHNE_13180 for all platforms with HP-UX releases 10.00 & 10.01,
PHNE_13181 for all platforms with HP-UX release 10.10,
PHNE_13182 for all platforms with HP-UX release 10.20,
PHNE_12499 for all platforms with HP-UX release 10.30.
AVAILABILITY: All patches are currently available.
CHANGE SUMMARY: This bulletin revision references new & improved patches.
-------------------------------------------------------------------------
I.
A. Background
A vulnerability in the ppl executable ([/usr]/bin/ppl) exists.
(Detailed in AUSCERT Advisory AA-97.07).
B. Fixing the problem
**REVISED 01**
The vulnerability can be eliminated from HP-UX releases 9.X and
up to and including 10.30, by applying the appropriate patch.
C. Recommended solution
**REVISED 01**
1. Determine which patch is appropriate for your operating
system. HP-UX version 10.00 users are encouraged to upgrade
to HP-UX version 10.01 or above.
NOTE: HP-UX release 10.24 (VVOS) is not vulnerable.
World Wide Web service for downloading of patches is available
for free by registered users via our URL at the Electronic
Support Center (ESC). (See Section E below).
2. Apply the patch to your HP-UX system.
3. Examine /tmp/update.log (9.X), or /var/adm/sw/swinstall.log
(10.X), for any relevant WARNING's or ERROR's.
D. Impact of the patch
The patches for HP-UX releases 9.X and 10.X provide enhancements
to the ppl executable to avoid this vulnerability.
E. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP ESC via electronic mail, and to download
patches for free by registered users.do the following:
User your browser to get to the HP Electronic Support Center page at:
http://us-support.external.hp.com
(for US, Canada, Asia-Pacific, & Latin-America)
http://europe-support.external.hp.com
(for Europe)
Click on the Technical Knowledge Database, register as a user
(remember to save the User ID assigned to you, and your password),
and it will connect to a HP Search Technical Knowledge DB page.
Near the bottom is a hyperlink to our Security Bulletin archive.
Once in the archive there is another link to our current
security patch matrix. Updated daily, this matrix is categorized
by platform/OS release, and by bulletin topic.
F. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
________________________________________________________________________
-----End of Document ID: HPSBUX9704-057--------------------------------------
----------------------- END HP SECURITY BULLETIN ----------------------------
..............................................................................
---------------------------------------------------------------------------
AUSCERT thanks Hewlett-Packard for their continued assistance and technical
expertise essential for the production of this advisory.
---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
26 Nov 1997 Hewlett-Packard has released the REVISED 01 version of their
security bulletin addressing this vulnerability in the ppl
program. This ha been replaced in Appendix A.
Updated AUSCERT's contact details.
24 Apr 1997 Hewlett-Packard has released a security bulletin addressing
this vulnerability in the ppl program. This was appended
in Appendix A. Section 3 was modified to include this
information.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|