-- Corsaire Security Advisory -- Title: HP Ignite-UX passwd file disclosure issue Date: 23.11.04 Application: HP Ignite-UX prior to version C.6.2.241 Environment: HP-UX Author: Martin O'Neal [martin.oneal@corsaire.com] Audience: General distribution Reference: c041123-001 -- Scope -- The aim of this document is to clearly define a vulnerability in the HP Ignite-UX product, as supplied by HP Inc. [1], that would allow unauthenticated access to a copy of the /etc/passwd file. -- History -- Discovered: 23.11.04 (Martin O'Neal) Vendor notified: 23.11.04 Document released: 16.08.05 -- Overview -- The HP Ignite-UX application "addresses the need for HP-UX system administrators to perform system installations and deployment, often on a large scale" [2] As part of the installation process, the product can install and enable a TFTP server to facilitate anonymous access to configuration data. In certain circumstances, a copy of the /etc/passwd file will be moved into the TFTP server tree and made available for anonymous access. -- Analysis -- The HP Ignite-UX can use a TFTP server to facilitate anonymous access to configuration data. When the make_recovery command is used, a copy of the /etc/passwd file will be created in the TFTP server tree and made available for anonymous access. As of version B.3.2 of the product, the make_recovery command has been depreciated in preference for the make_tape_recovery command (which doesn't display the same issues), and as of version C.6.0 the make_recovery command does not exist in the product at all. However, if at any point make_recovery has been run on the host, a copy of the /etc/passwd file may still remain within the TFTP server tree. -- Proof of Concept - Use a TFTP client to request the file referenced by the following path: /var/opt/ignite/recovery/passwd.makrec -- Recommendations -- Download and apply the HP Ignite-UX version C.6.2.241 patches. Replace all usage of the make_recovery command with make_tape_recovery. If in any doubt, disable the TFTP server. -- CVE -- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004- 0951 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardises names for security problems. -- References -- [1] http://www.hp.com [2] http://software.hp.com/products/IUX/overview.html -- Revision -- a. Initial release. b. Released. -- Distribution -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. -- Disclaimer -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. -- About Corsaire -- Corsaire are a leading information security consultancy, founded in 1997 in Guildford, Surrey, UK. Corsaire bring innovation, integrity and analytical rigour to every job, which means fast and dramatic security performance improvements. Our services centre on the delivery of information security planning, assessment, implementation, management and vulnerability research. A free guide to selecting a security assessment supplier is available at http://www.penetration-testing.com Copyright 2005 Corsaire Limited. All rights reserved.