Bugtraq mailing list archives

HP-UX B.10.01 vulnerability

From: aleph1 () underground org (Aleph One)
Date: Fri, 7 Jun 1996 11:15:51 -0700


As shipped, the HP-UX program /usr/contrib/bin/nettune is SETUID root.

When SETUID root, nettune allows reconfiguration of ICMP, IP, and TCP kernel
parameters by ANY user.  The vulnerability can result in a denial of service.

nettune can reset any of the following parameters:

% nettune -l
arp_killcomplete = 1200 default = 1200 min = 60 max = 3600 units = seconds
arp_killincomplete = 600 default = 600 min = 30 max = 3600 units = seconds
arp_unicast = 300 default = 300 min = 60 max = 3600 units = seconds
arp_rebroadcast = 60 default = 60 min = 30 max = 3600 units = seconds
icmp_mask_agent = 0 default = 0 min = 0 max = 1
ip_defaultttl = 255 default = 255 min = 0 max = 255 units = hops
ip_forwarding = 0 default = 1 min = 0 max = 1
ip_intrqmax = 50 default = 50 min = 10 max = 1000 units = entries
pmtu_defaulttime = 20 default = 20 min = 10 max = 32768
tcp_localsubnets = 1 default = 1 min = 0 max = 1
tcp_receive = 32768 default = 32768 min = 256 max = 262144 units = bytes
tcp_send = 32768 default = 32768 min = 256 max = 262144 units = bytes
tcp_defaultttl = 64 default = 64 min = 0 max = 255 units = hops
tcp_keepstart = 7200 default = 7200 min = 5 max = 12000 units = seconds
tcp_keepfreq = 75 default = 75 min = 5 max = 2000 units = seconds
tcp_keepstop = 600 default = 600 min = 10 max = 4000 units = seconds
tcp_maxretrans = 12 default = 12 min = 4 max = 12
tcp_urgent_data_ptr = 0 default = 0 min = 0 max = 1
udp_cksum = 1 default = 1 min = 0 max = 1
udp_defaultttl = 64 default = 64 min = 0 max = 255 units = hops
udp_newbcastenable = 1 default = 1 min = 0 max = 1
udp_pmtu = 0 default = 0 min = 0 max = 1
tcp_pmtu = 1 default = 1 min = 0 max = 1
tcp_random_seq = 0 default = 0 min = 0 max = 2
%

Current thread:

Re: Not so much a bug as a warning of new brute force attack, (continued)
- - - Re: Not so much a bug as a warning of new brute force attack Valdis.Kletnieks () vt edu (Jun 04)
    - rexec brute bastard (Jun 04)
    - Selecting Good Passwords mdr () vodka sse att com (Jun 04)
    - brute force *Hobbit* (Jun 04)
    - Re: brute force Christopher Klaus (Jun 04)
    - Re: brute force Tom Fitzgerald (Jun 05)
    - Re: brute force Alan Brown (Jun 06)
    - Re: Linux rlogin hole with libc 5.x Alan Brown (Jun 06)
    - Re: Linux rlogin hole with libc 5.x Pablo Idiaquez (Jun 06)
    - help TaeJin Hong (Jun 07)
    - HP-UX B.10.01 vulnerability Aleph One (Jun 07)
    - Strange changes - any ideas? Fred Cohen (Jun 08)
    - Re: Strange changes - any ideas? dsiebert () icaen uiowa edu (Jun 09)
    - Re: Strange changes - any ideas? Andrew V. Kovalev (Jun 09)
    - Digital Unix, daemons and the SIA authentication library. Paul C Leyland (Jun 10)
    - Re: Strange changes - any ideas? Darren Reed (Jun 10)
    - Vulnerability Database Christopher Klaus (Jun 10)
    - Re: brute force Ze'ev Maor (Jun 04)
    - Re: brute force simes () tcp co uk (Jun 04)
  - Re: Not so much a bug as a warning of new brute force attack Bill Broadley (Jun 03)
  - Re: Not so much a bug as a warning of new brute force attack Brian Tao (Jun 08)

(Thread continues...)