AA-96.18c.HP-UX.chfn.buffer.overrun.vul
c526b62278839cc9e6413f602e3565a75b4612d74466806ee024b53787f793b3-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-96.18 AUSCERT Advisory
HP-UX chfn Buffer Overrun Vulnerability
9 December 1996
Last Revised: 14 May, 1997
The location of overflow_wrapper.c has changed. Section
3 was updated to show this.
A complete revision history is at the end of this file.
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the
chfn(1) program under HP-UX 9.x and 10.x.
This vulnerability may allow local users to gain root privileges.
Exploit information involving this vulnerability has been made publicly
available.
Vendor patches have been released addressing this vulnerability.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
- ---------------------------------------------------------------------------
1. Description
AUSCERT has received information that a vulnerability exists in the
HP-UX chfn(1) program. The chfn command is used to change user
information in the password file, and is installed by default.
Due to insufficient bounds checking on arguments which are supplied
by users, it is possible to overwrite the internal stack space of the
chfn program while it is executing. By supplying a carefully
designed argument to the chfn program, intruders may be able to
force chfn to execute arbitrary commands. As chfn is setuid
root, this may allow intruders to run arbitrary commands with root
privileges.
This vulnerability is known to affect both HP-UX 9.x and 10.x.
By default, chfn is located in /usr/bin under both HP-UX 9.x and 10.x.
Exploit information involving this vulnerability has been made
publicly available.
2. Impact
Local users may gain root privileges.
3. Workarounds/Solution
Official vendor patches have been released by Hewlett-Packard which
address this vulnerability (Section 3.1).
If the patches recommended by Hewlett-Packard cannot be applied,
AUSCERT recommends that sites limit the possible exploitation of this
vulnerability by immediately removing the setuid permissions as stated
in Section 3.2. If the chfn command is required, AUSCERT recommends
the chfn wrapper program given in Section 3.3 be installed.
3.1 Install vendor patches
Hewlett-Packard has released a security bulletin, containing patch
information, addressing the vulnerability described in this advisory.
The original release of this bulletin has been appended in Appendix A.
A current version of this security bulletin can be retrieved from:
http://us.external.hp.com:80/search/bin/wwwsdoc.pl?DOCID=HPSBUX9701-049
AUSCERT recommends that sites apply the patches given in this bulletin
immediately.
3.2 Remove setuid and non-root execute permissions
To prevent the exploitation of the vulnerability described in the
advisory, AUSCERT recommends that the setuid permissions be removed
from the chfn program immediately. As the chfn program will no
longer work for non-root users, it is recommended that the execute
permissions also be removed. Before doing so, the original permissions
for chfn should be noted as they will be needed if sites choose to
install the chfn wrapper program (Section 3.2).
For example:
# ls -l /usr/bin/chfn
-r-sr-xr-x 1 root bin 20480 Jun 10 1996 /usr/bin/chfn
# chmod 500 /usr/bin/chfn
# ls -l /usr/bin/chfn
-r-x------ 1 root bin 20480 Jun 10 1996 /usr/bin/chfn
Note that this will remove the ability for any non-root user to run the
chfn program.
3.3 Install chfn wrapper
AUSCERT has developed a wrapper program to help prevent programs from
being exploited using the vulnerability described in this advisory.
This wrapper, including installation instructions, can be found at:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c
This replaces the chfn program with a wrapper which checks the
length of the command line arguments passed to it. If an argument
exceeds a certain predefined value (MAXARGLEN), the wrapper exits
without executing the chfn command. The wrapper program can also
be configured to syslog any failed attempts to execute chfn with
arguments exceeding MAXARGLEN. For further instructions on using
this wrapper, please read the comments at the top of overflow_wrapper.c.
When compiling overflow_wrapper.c for use with HP-UX chfn, AUSCERT
recommends defining MAXARGLEN to be 16.
The MD5 checksum for the current version of overflow_wrapper.c can
be retrieved from:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM
AUSCERT recommends that until vendor patches can be installed, sites
requiring the chfn functionality apply this workaround.
4. Additional measures
Most Unix systems ship numerous programs which have setuid or
setgid privileges. Often the functionality supplied by these
privileged programs is not required by many sites. The large number
of privileged programs that are shipped by default are to cater for
all possible uses of the system.
AUSCERT encourages sites to examine all the setuid/setgid programs
and determine the necessity of each program. If a program does not
absolutely require the setuid/setgid privileges to operate (for
example, it is only run by the root user), the setuid/setgid
privileges should be removed. Furthermore, if a program is not
required at your site, then all execute permissions should be removed.
A sample command to find all setuid/setgid programs is (run as root):
# find / \( -perm -4000 -o -perm -2000 \) -exec ls -ld {} \;
It is AUSCERT's experience that many vulnerabilities are being
discovered in setuid/setgid programs which are not necessary for the
correct operation of most systems. Sites can increase their security
by removing unnecessary setuid/setgid programs.
For example, the functionality provided by the chfn program is not
needed by many sites since the user information stored in the password
file, which chfn is used to change, is typically static. If sites
had previously disabled the chfn program, they would not have been
vulnerable to this latest exploit.
...........................................................................
Appendix A
- ---------------------BEGIN HP SECURITY ADVISORY----------------------------
- -------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: #00049, 09 January 1997
- -------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
- -------------------------------------------------------------------------
PROBLEM: Security vulnerability in the chfn executable
PLATFORM: HP 9000 Series 700/800s running versions of HP-UX 9.X & 10.X
DAMAGE: Vulnerabilities exists allowing local users to gain root
privileges.
SOLUTION: Apply patch:
PHCO_9595 for all platforms with HP-UX releases 9.X
PHCO_9596 for all platforms with HP-UX releases 10.00/10.01/10.10
PHCO_9597 for all platforms with HP-UX releases 10.20
AVAILABILITY: All patches are available now.
- -------------------------------------------------------------------------
I.
A. Background
A vulnerability with the chfn command (/usr/bin/chfn) has been
discovered.
B. Fixing the problem
The vulnerability can be eliminated from HP-UX releases 9.X and
10.X by applying the appropriate patch.
C. Recommended solution
1. Determine which patch are appropriate for your operating
system.
2. Hewlett-Packard's HP-UX patches are available via email
and the World Wide Web
To obtain a copy of the Hewlett-Packard SupportLine email
service user's guide, send the following in the TEXT PORTION
OF THE MESSAGE to support@us.external.hp.com (no Subject
is required):
send guide
The users guide explains the HP-UX patch downloading process
via email and other services available.
World Wide Web service for downloading of patches
is available via our URL:
(http://us.external.hp.com)
3. Apply the patch to your HP-UX system.
4. Examine /tmp/update.log (9.X), or /var/adm/sw/swinstall.log
(10.X), for any relevant WARNING's or ERROR's.
D. Impact of the patch
The patches for HP-UX releases 9.X and 10.X provide enhancements
to the chfn executable to avoid this vulnerability.
E. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP SupportLine Digest service via electronic
mail, do the following:
1) From your Web browser, access the URL:
http://us-support.external.hp.com (US,Canada,
Asia-Pacific, and Latin-America)
http://europe-support.external.hp.com (Europe)
2) On the HP Electronic Support Center main screen, select
the hyperlink "Support Information Digests".
3) On the "Welcome to HP's Support Information Digests" screen,
under the heading "Register Now", select the appropriate hyperlink
"Americas and Asia-Pacific", or "Europe".
4) On the "New User Registration" screen, fill in the fields for
the User Information and Password and then select the button labeled
"Submit New User".
5) On the "User ID Assigned" screen, select the hyperlink
"Support Information Digests".
** Note what your assigned user ID and password are for future
reference.
6) You should now be on the "HP Support Information Digests Main"
screen. You might want to verify that your email address is correct
as displayed on the screen. From this screen, you may also
view/subscribe to the digests, including the security bulletins
digest.
To get a patch matrix of current HP-UX and BLS security
patches referenced by either Security Bulletin or Platform/OS,
click on following screens in order:
Technical Knowledge Database
Browse Security Bulletins
Security Bulletins Archive
HP-UX Security Patch Matrix
F. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin is
not edited or changed in any way, is attributed to HP, and provided
such reproduction and/or distribution is performed for non-commercial
purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
- ----------------------END HP SECURITY ADVISORY-----------------------------
...........................................................................
- ---------------------------------------------------------------------------
AUSCERT thanks Hewlett-Packard for their continued assistance and technical
expertise essential for the production of this advisory.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
14 May 1997 The location of overflow_wrapper.c has changed. Section
3 was updated to show this.
22 Jan 1997 Hewlett-Packard released a security bulletin addressing
this vulnerability in the passwd program. This was
appended in Appendix A. Section 3 was modified to inform
people to apply vendor patches if possible.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM7PA2yh9+71yA2DNAQEogwQAmUcGoIu0v68mDDKBKZGZg5NGSY/gE5aa
IXud1JCx2keKNnJna7G4p+CFEII/QkhC+hqJN+J6hGncG2FrVT3REtH5rrTnHIos
mfLwFuD/Rg7v1t2MZBdFwerVrVYssZWMnZmUEPn06qo35FaGNmpeW2VSbGhGmDT0
6IC534+Apag=
=g8Oh
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed