From support@us.external.hp.com Wed Mar 13 00:58:59 1996
Date: Wed, 13 Mar 1996 01:02:01 -0800
From: HPSL Mail Service <support@us.external.hp.com>
Reply to: support-feedback@us.external.hp.com
To: Damien Sorder <jericho@netcom.com>
Subject: RE: send doc HPSBUX9406-014

--------
## Regarding your request:
   Send Doc HPSBUX9406-014

The following are the results of your request from the HP SupportLine mail
service.

===============================================================================
Document Id: [HPSBUX9406-014]
Date Loaded: [07-07-94]

Description: Patch file permissions vulnerability
===============================================================================

-----------------------------------------------------------------------------
           HEWLETT PACKARD SECURITY BULLETIN: #00014, 05 July 1994
-----------------------------------------------------------------------------

Hewlett-Packard recommends that the information in the following
Security Bulletin should be acted upon as soon as possible. Hewlett-
Packard will not be liable for any consequences to any customer resulting
from customer's failure to fully implement instructions in this Security
Bulletin as soon as possible.

_____________________________________________________________________________
PROBLEM:   Some patches may be installed with unsafe permissions.
           The /system/PHxx_nnnn directory may be world writable.

PLATFORM:  s300/s400/s700/s800  all revisions of hp-ux

DAMAGE:    The customize and decustomize scripts may be altered.  The
           original files saved in the /system/PHxx_nnnn/orig directory
           may be replaced.

SOLUTION:  Do not use any of the files in the vulnerable patch
           directories.
_____________________________________________________________________________


I. Patch Permissions

   A. CERT Advisory

      None.

   B. Nature of the problem

      There are many patches that install into world writable
      directories in /system.  The vulnerability is that the customize
      and decustomize scripts could be altered by anyone.  Also the
      files in the orig directory could have been altered.  In
      fact the entire orig directory could have been replaced.
      Nothing in the vulnerable patch directory can be trusted.

   C. Fixing the problem

      1.  As of now, all new patches are having their permissions
          set to safe values before they are posted.

      2.  We are in the process of fixing and reposting existing
          patches.  The patch numbers will not change.  This
          bulletin will be updated when that process is complete.

      3.  You should immediately examine the patch directories in
          /system to identify vulnerable patches.  You should make
          sure you do not restore any of the files in a vulnerable
          patch directory.  The "find_patch_perms" script below can
          be used to identify the vulnerable directories.  The
          "remove_vulnerable" script can be used to remove the
          vulnerable patch directories.

            find_patch_perms  >>/usr/adm/vulnerable_patches
            remove_vulnerable

      4.  Until the patches have been corrected and reposted, you
          should change the permissions to safe values.  The
          script "fix_patch_perms" will do that.  It or something
          similar should be executed immediately after each patch
          is installed.


Scripts:
----------------------------------------
#!/bin/sh
# "find_patch_perms" script
for i in `ls -d /system/PH*_*`
do
  g=`ll -d $i | cut -c6`
  o=`ll -d $i | cut -c9`
  #echo $i $g $o
  if [ $o = "w" ]
  then
    echo "$i IS vulnerable.  DO NOT USE THIS DIRECTORY."
  else
    if [ $g = "w" ]
    then
      # The patch directories should have either 755 permissions (good)
      # or 777 (BAD).  There are no known patches that have write
      # permissions on group that do not have write permission on
      # other.  But to be sure, flag that case as a possible problem.

      echo "$i might be vulnerable."

    fi
  fi
done
----------------------------------------
#!/bin/sh
# "remove_vulnerable" script
for i in `ls -d /system/PH*_*`
do
  g=`ll -d $i | cut -c6`
  o=`ll -d $i | cut -c9`
  #echo $i $g $o
  if [ $o = "w" ]
  then
    echo "$i IS vulnerable.  Removing that directory."
    rm -rf $i
  else
    if [ $g = "w" ]
    then
      # The patch directories should have either 755 permissions (good)
      # or 777 (BAD).  There are no known patches that have write
      # permissions on group that do not have write permission on
      # other.  But to be sure, flag that case as a possible problem.

      echo "$i might be vulnerable."
      echo "You should look at the group and consider removing "
      echo "the files in $i"

    fi
  fi
done
----------------------------------------
#!/bin/sh
# "fix_patch_perms" script
if [ "$1" = "" ]
then
  echo "This script changes the permissions on patch files"
  echo "and directories to safe values."
  echo ""
  echo "This script should be run immediately after the patch"
  echo "has been installed."
  echo ""
  echo "Usage:    fix_patch_perms <patch number>"
  echo "Example:  fix_patch_perms PHSS_1234"
  exit 1
fi
#
# Remove write and execute permissions from group and other.
#
for i in `ls /system/$1`
do
  echo "Before: /system/$1/$i \c"
  ll -d /system/$1/$i | cut -c1-10

  chmod g-wx,o-wx /system/$1/$i

  echo "After : /system/$1/$i \c"
  ll -d /system/$1/$i | cut -c1-10
  echo " "
done
#
# Set the /system/PHxx_nnnn permission to 755.
#
echo "Before: /system/$1 \c"
ll -d /system/$1 | cut -c1-10

chmod 755 /system/$1

echo "After : /system/$1 \c"
ll -d /system/$1 | cut -c1-10
echo " "
#
# Set /system/PHxx_nnnn/orig to 500
#
if [ -d /system/$1/orig ]
then
  echo "Before: /system/$1/orig \c"
  ll -d /system/$1/orig | cut -c1-10

  chmod 500 /system/$1/orig

  echo "After : /system/$1/orig \c"
  ll -d /system/$1/orig | cut -c1-10
  echo " "
fi
----------------------------------------

-----------------------------------------------------------------------
To subscribe to automatically receive NEW future HP Security Bulletins
from the HP SupportLine mail service via electronic mail, send the
following in the TEXT PORTION OF THE MESSAGE to
support@support.mayfield.hp.com (no Subject is required):

   subscribe security_info

To retrieve the index of all HP Security Bulletins, send the following:

   send security_info_list

To obtain a copy of the HP SupportLine mail service user's guide,
send the following:

   send guide.txt


For security concerns, write to:

        security-alert@hp.com