-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-96.16                        AUSCERT Advisory
                      HP-UX newgrp Buffer Overrun Vulnerability
                                3 December 1996

Last Revised:   14 May 1997
                The location of overflow_wrapper.c has changed.  Section
                3 was updated to show this.
 

                A complete revision history is at the end of this file.

- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the
newgrp(1) program under HP-UX 9.x and 10.x.

This vulnerability may allow local users to gain root privileges.

Exploit information involving this vulnerability has been made publicly
available.

Vendor patches have been released addressing this vulnerability.

AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

- ---------------------------------------------------------------------------

1.  Description

    AUSCERT has received information that a vulnerability exists in the
    HP-UX newgrp(1) program.  The newgrp command is used to change a users
    group identification, and is installed by default.

    Due to insufficient bounds checking on arguments which are supplied
    by users, it is possible to overwrite the internal stack space of the
    newgrp program while it is executing.  By supplying a carefully
    designed argument to the newgrp program, intruders may be able to
    force newgrp to execute arbitrary commands.  As newgrp is setuid
    root, this may allow intruders to run arbitrary commands with root
    privileges.

    This vulnerability is known to affect both HP-UX 9.x and 10.x.

    By default, newgrp is located in /bin under HP-UX 9.x and in
    /usr/bin under HP-UX 10.x.

    Exploit information involving this vulnerability has been made 
    publicly available.

2.  Impact

    Local users may gain root privileges.

3.  Workarounds/Solution

    Official vendor patches have been released by Hewlett-Packard which
    address this vulnerability (Section 3.1).

    If the patches supplied by Hewlett-Packard cannot be applied, AUSCERT
    recommends that sites limit the possible exploitation of this
    vulnerability by immediately removing the setuid permissions as stated
    in Section 3.2.  If the newgrp command is required, AUSCERT recommends
    the newgrp wrapper program given in Section 3.3 be installed.

3.1 Install vendor patches

    Hewlett-Packard has released a security bulletin, containing patch
    information, addressing the vulnerability described in this advisory.
    The original release of this bulletin has been appended in Appendix A.
    A current version of this security bulletin can be retrieved from:

       http://us.external.hp.com:80/search/bin/wwwsdoc.pl?DOCID=HPSBUX9701-048

    AUSCERT recommends that sites apply the patches given in this bulletin
    immediately.

3.2 Remove setuid and non-root execute permissions

    To prevent the exploitation of the vulnerability described in the
    advisory, AUSCERT recommends that the setuid permissions be removed
    from the newgrp program immediately.  As the newgrp program will no
    longer work for non-root users, it is recommended that the execute
    permissions also be removed.  Before doing so, the original permissions
    for newgrp should be noted as they will be needed if sites choose to
    install the newgrp wrapper program (Section 3.2).

    For HP-UX 9.x:

  # ls -l /bin/newgrp
  -r-sr-xr-x   1 root     sys        16384 Dec  2 13:45 /bin/newgrp

  # chmod 500 /bin/newgrp
        # ls -l /bin/newgrp     
  -r-x------   1 root     sys        16384 Dec  2 13:45 /bin/newgrp

    For HP-UX 10.x:

  # ls -l /usr/bin/newgrp
  -r-sr-xr-x   1 root     sys        12288 Dec  2 13:27 /usr/bin/newgrp

  # chmod 500 /usr/bin/newgrp
        # ls -l /usr/bin/newgrp     
  -r-x------   1 root     sys        12288 Dec  2 13:27 /usr/bin/newgrp

    Note that this will remove the ability for any non-root user to run the
    newgrp program. 

3.3 Install newgrp wrapper

    AUSCERT has developed a wrapper to help prevent programs from being
    exploited using the vulnerability described in this advisory.  This
    wrapper, including installation instructions, can be found at:

ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c


    This replaces the newgrp program with a wrapper which checks the
    length of the command line arguments passed to it.  If an argument
    exceeds a certain predefined value (MAXARGLEN), the wrapper exits
    without executing the newgrp command.  The wrapper program can also
    be configured to syslog any failed attempts to execute newgrp with
    arguments exceeding MAXARGLEN.  For further instructions on using
    this wrapper, please read the comments at the top of overflow_wrapper.c.

    When compiling overflow_wrapper.c for use with HP-UX newgrp, AUSCERT
    recommends defining MAXARGLEN to be 16.

    The MD5 checksum for the current version of overflow_wrapper.c can
    be retrieved from:

         ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM


    AUSCERT recommends that until vendor patches can be installed, sites
    requiring the newgrp functionality apply this workaround.


...........................................................................

Appendix A

- ---------------------BEGIN HP SECURITY ADVISORY----------------------------

- -------------------------------------------------------------------------
       HEWLETT-PACKARD SECURITY BULLETIN: #00048, 09 January 1997
- -------------------------------------------------------------------------

The information in the following Security Bulletin should be acted upon
as soon as possible.  Hewlett Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.

- -------------------------------------------------------------------------
PROBLEM:  Security vulnerability in the newgrp command

PLATFORM: HP 9000 Series 700/800s running versions of HP-UX 9.X & 10.X

DAMAGE:   Vulnerabilities exists allowing local users to gain root
          privileges.

SOLUTION: Apply patch:
          PHCO_9603  for all platforms with HP-UX releases 9.X
          PHCO_9604  for all platforms with HP-UX releases 10.00/10.01
          PHCO_9605  for all platforms with HP-UX releases 10.10/10.20

AVAILABILITY:  All patches are available now.

- -------------------------------------------------------------------------
I.
   A. Background
      A vulnerability with the newgrp command (/bin/newgrp HP-UX 9.X or
      /usr/bin/newgrp in HP-UX 10.X) has been discovered.

   B. Fixing the problem
      The vulnerability can be eliminated from HP-UX releases 9.X and
      10.X by applying the appropriate patch.

   C. Recommended solution
      1.  Determine which patch are appropriate for your operating
          system.

      2.  Hewlett-Packard's HP-UX patches are available via email
          and the World Wide Web

          To obtain a copy of the Hewlett-Packard SupportLine email
          service user's guide, send the following in the TEXT PORTION
          OF THE MESSAGE to support@us.external.hp.com (no Subject
          is required):

                               send guide

          The users guide explains the HP-UX patch downloading process
          via email and other services available.

          World Wide Web service for downloading of patches
          is available via our URL:
                  (http://us.external.hp.com)

      3.  Apply the patch to your HP-UX system.

      4.  Examine /tmp/update.log (9.X), or /var/adm/sw/swinstall.log
          (10.X), for any relevant WARNING's or ERROR's.

   D. Impact of the patch
      The patches for HP-UX releases 9.X and 10.X provide enhancements
      to the newgrp executable to avoid this vulnerability.

   E. To subscribe to automatically receive future NEW HP Security
      Bulletins from the HP SupportLine Digest service via electronic
      mail, do the following:

      1)  From your Web browser, access the URL:

      http://us-support.external.hp.com (US,Canada,
      Asia-Pacific, and Latin-America)

      http://europe-support.external.hp.com  (Europe)

      2)  On the HP Electronic Support Center main screen, select
      the hyperlink "Support Information Digests".

      3)  On the "Welcome to HP's Support Information Digests" screen,
      under the heading "Register Now", select the appropriate hyperlink
      "Americas and Asia-Pacific", or "Europe".

      4)  On the "New User Registration" screen, fill in the fields for
      the User Information and Password and then select the button labeled
      "Submit New User".

      5)  On the "User ID Assigned" screen, select the hyperlink
      "Support Information Digests".

      ** Note what your assigned user ID and password are for future
      reference.

      6)  You should now be on the "HP Support Information Digests Main"
      screen.  You might want to verify that your email address is correct
      as displayed on the screen.  From this screen, you may also
      view/subscribe to the digests, including the security bulletins
      digest.

      To get a patch matrix of current HP-UX and BLS security
      patches referenced by either Security Bulletin or Platform/OS,
      click on following screens in order:
         Technical Knowledge Database
         Browse Security Bulletins
         Security Bulletins Archive
         HP-UX Security Patch Matrix

   F. To report new security vulnerabilities, send email to

          security-alert@hp.com

      Please encrypt any exploit information using the security-alert
      PGP key, available from your local key server, or by sending a
      message with a -subject- (not body) of 'get key' (no quotes) to
      security-alert@hp.com.

   Permission is granted for copying and circulating this Bulletin to
   Hewlett-Packard (HP) customers (or the Internet community) for the
   purpose of alerting them to problems, if and only if, the Bulletin is
   not edited or changed in any way, is attributed to HP, and provided
   such reproduction and/or distribution is performed for non-commercial
   purposes.

   Any other use of this information is prohibited.  HP is not liable
   for any misuse of this information by any third party.
 
- -----------------------END HP SECURITY ADVISORY----------------------------

...........................................................................


- ---------------------------------------------------------------------------
AUSCERT thanks Hewlett-Packard for their continued assistance and technical
expertise essential for the production of this advisory.  AUSCERT also
thanks Information Technology Services of the University of Southern
Queensland for their assistance.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:  (07) 3365 4477
Telephone:  (07) 3365 4417 (International: +61 7 3365 4417)
    AUSCERT personnel answer during Queensland business hours
    which are GMT+10:00 (AEST).
    On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History

14 May 1997     The location of overflow_wrapper.c has changed.  Section
                3 was updated to show this.

22 Jan 1997     Hewlett-Packard released a security bulletin addressing
                this vulnerability in the passwd program.  This was
                appended in Appendix A. Section 3 was modified to inform
                people to apply vendor patches if possible.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBM3mspSh9+71yA2DNAQGjhQQAmNS55nLxbiepsraaAGdRc+dRlQyfWVUW
UQpc1al+L5U3pKq1ksbaeDhUxgC1OiQICkRKkYXrDp9+QQa4v73zXYNO5mJ/o3p6
Ym0e6ufH25gwlL1vslOHG/hWFELyTR9GBHFdKYgapqCKMSb4jMbCfpu1OwqSfEKn
Jbdz8e6WISs=
=cdd5
-----END PGP SIGNATURE-----