-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-96.09                        AUSCERT Advisory
              HP-UX SYSDIAG Online Diagnostics Subsystem Vulnerability
                                12 November 1996

Last Revised: --

- ---------------------------------------------------------------------------

AUSCERT has received information that there is a vulnerability in the
SYSDIAG Online Diagnostics Subsystem supplied by Hewlett Packard.  This
vulnerability is present under both HP-UX 9.x and 10.x

This vulnerability may allow local users to gain root privileges.

Exploit details involving this vulnerability have been widely distributed.

Official patches may be released by Hewlett Packard to address this
vulnerability in the future.  Until patches are made available, AUSCERT
recommends that sites take the actions suggested in Section 3.1.

This advisory will be updated when vendor patches are made available.

- ---------------------------------------------------------------------------

1.  Description

    The HP SYSDIAG Online Diagnostics Subsystem enables users to run
    online diagnostic programs to diagnose suspected system hardware
    problems.

    Some programs supplied with the SYSDIAG package create files in
    an insecure manner.  As these programs execute with root
    privileges, it is possible to create arbitrary files on the system.

    The SYSDIAG subsystem may be installed under both HP-UX 9.x and 10.x.
    The default location of the programs used by the SYSDIAG package
    differs between the 9.x and 10.x releases of the operating system.

    To determine if the SYSDIAG programs are installed, sites should check
    for the presence of the program "sysdiag".

    Under HP-UX 9.x:
   
  % ls -l /bin/sysdiag

    Under HP-UX 10.x:
  
  % ls -l /usr/sbin/sysdiag

    Individual sites are encouraged to check their systems for the SYSDIAG
    package, and if installed, take the actions recommended in Section 3.

2.  Impact

    Local users may be able to create arbitrary files on the system.  This
    may be leveraged to gain root privileges.

3.  Workarounds/Solution

    AUSCERT recommends that sites prevent the possible exploitation of
    this vulnerability by immediately applying the workaround given in
    Section 3.1.

    Currently there are no vendor patches available that address this
    vulnerability.  AUSCERT recommends that official vendor patches be
    installed when they are made available.

3.1 Remove setuid permissions

    Until official vendor patches are made available, sites should
    remove the setuid root permissions from the vulnerable programs.  To
    do this, the following commands should be run as root:

    Under HP-UX 9.x
  
  # chmod u-s /bin/sysdiag
  # chmod u-s /usr/diag/bin/*

    Under HP-UX 10.x

  # chmod u-s /usr/sbin/sysdiag
  # chmod u-s /usr/sbin/diag/*

    Note that this will restrict non-root users from using the SYSDIAG
    subsystem diagnostic tools.

    When using any of the SYSDIAG subsystem programs as root, system
    administrators should ensure that they do not use the "outfile"
    sub-command to write files in world writable directories.  Writing
    files in such directories may leave the system open to exploitation
    of this vulnerability.

- ---------------------------------------------------------------------------
AUSCERT thanks Hewlett-Packard for their continued assistance and technical
expertise essential for the production of this advisory.  Thanks also to
Viviani Paz (The University of Queensland) for her assistance in this
matter.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:  (07) 3365 4477
Telephone:  (07) 3365 4417 (International: +61 7 3365 4417)
    AUSCERT personnel answer during Queensland business hours
    which are GMT+10:00 (AEST).
    On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBMohljih9+71yA2DNAQEY/wP+NyRvPnVOuP4aR7pQKaGKuhqGRIx7fya7
+DAEQ7xwD4Bc0uaKUnkj58fOBSmTh8BBqSFZMASKw8dh0BFIf+166kSKw1S6bJhk
fvlWacxFWkxgM4SWnEszVW+jGrfXrTwkE2xtW3mpDN4EKvC4K6VTH4QdF2/4lK0t
6SdIb+Rm7iA=
=yMkL
-----END PGP SIGNATURE-----