exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

sa2003-08.txt

sa2003-08.txt
Posted Nov 14, 2003
Authored by NSFOCUS | Site nsfocus.com

NSFOCUS Security Advisory SA2003-08 - Do to a lack of input validation on the NLSPATH variable, libc on HP-UX is susceptible to a format string vulnerability that will allow a local attacker to gain root privileges.

tags | advisory, local, root
systems | hpux
advisories | CVE-2003-0090
SHA-256 | 7763824063b03d4c3ebd80f0f6e25b25ad766c35105b7d94923ec0e3e6a15b2b

sa2003-08.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NSFOCUS Security Advisory(SA2003-08)

Topic: HP-UX libc NLSPATH Environment Variable Privilege Elevation Vulnerability

Release Date: 2003-11-13

CVE CAN ID: CAN-2003-0090

http://www.nsfocus.com/english/homepage/research/0308.htm

Affected system:
===================
- - HP-UX B.11.00
- - HP-UX B.11.11

Summary:
=========

NSFOCUS Security Team has found that the libc in HP-UX cannot restrict the
NLSPATH variable used by suid root program, which causes a format string
vulnerability. Exploiting the vulnerability local attacker could gain root
privilege.

Description:
============

Many programs in HP-UX use catopen()/catgets() and other functions in libc
to display localized information. When catopen() has detected the environment
variable NLSPATH, it will open the specified file and read messages from
it.

However, catopen() doesn't restrict the suid root program uses NLSPATH, which
allows local attackers to set NLSPATH variable and specify a locale file
crafted by themselves. When the suid root program uses catopen() to open the
message file and passes the data from it to *printf(), it might cause a format
string vulnerability.

Any suid root program that uses catopen()/catgets() maybe vulnerable. By exploiting
the vulnerability local attackers could gain root privilege.

According to the test, at least the following programs are vulnerable:

- -r-sr-xr-x 1 root bin 45056 Nov 14 2000 /usr/bin/at
- -r-sr-xr-x 1 root bin 24576 Nov 14 2000 /usr/bin/crontab
- -r-sr-xr-x 1 root bin 45056 Nov 14 2000 /usr/bin/ct
- -r-sr-xr-x 1 root bin 36864 Apr 19 2001 /usr/bin/cu
- -r-sr-xr-x 1 root bin 20480 Nov 14 2000 /usr/lbin/exrecover
- -r-sr-xr-x 1 root bin 40960 Aug 16 2001 /usr/bin/lp
- -r-sr-sr-x 2 root mail 45056 Nov 14 2000 /usr/bin/mail
- -r-sr-xr-x 5 root bin 45056 Nov 14 2000 /usr/bin/passwd
- -r-sr-xr-x 1 root bin 24576 Nov 14 2000 /usr/bin/su
- -r-sr-xr-x 11 root bin 1921024 Nov 6 2001 /usr/sbin/swinstall
- -r-sr-xr-x 2 root bin 1028096 Nov 6 2001 /usr/sbin/swpackage

Workaround:
=============

NSFOCUS suggests to temporarily remove the suid root bit for all the
programs. However, it might brings about many inconvenience. You are suggested
to apply the appropriate patch at the earliest possibility.

Vendor Status:
==============

2002.11.19 Informed the vendor
2002.12.05 Vendor confirmed the vulnerability
2003.11.05 Vendor released a security bulletin (HPSBUX0311-294) and relative
patches for the vulnerability.

Detailed information for the HP security bulletin is available at:
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0311-294

Note: Valid ITRC account is required for the link above.

Patch ID:

HP-UX B.11.22 PHCO_29329
HP-UX B.11.11 PHCO_29495
HP-UX B.11.00 PHCO_29284
HP-UX B.10.20 PHCO_26158

Additional Information:
========================

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2003-0090 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems. Candidates may change significantly before they become official
CVE entries.

Acknowledgment
===============

Yang Jilong of NSFOCUS Security Team found the vulnerability.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 aF6DA
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/s1KJ1794d8am9toRAjuxAJ9G7Y0zGPICg3Xi4HEOcWaTqAEXnwCfcMjj
IrBO1cVWJ0MLfLUdK0C8fAY=
=McFd
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    19 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close