Bugtraq mailing list archives
Re: Vunerability in HP sysdiag ?
From: avarvit () cc ece ntua gr (Aggelos P. Varvitsiotis)
Date: Wed, 25 Sep 1996 12:22:47 +0300
"John W. Jacobi" <jjacobi () nova umuc edu> wrote:
Hi all, If this is out, I apologize. Subject: Vunerability in HP sysdiag ??? Program and Systems that I did this on: The sysdiag program on HP 9000/700/HPUX9.05 (has PHSS_7587) HP 9000/800/HPUX9.04 (not sure of patch regarding diags) To Prevent: For now, turn off the set uid on the programs involved. This is how it worked for me, perhaps you too: Problem: Basically, the sysdiag stuff is set-uid root. You can exploit that feature to create and write stuff to arbitrary files on the system as root, while not being root. If the target file you want to create exists, this doesn't work. Perhaps there is a way around that, but that ain't the point. The point is that I used this to get root in 30 seconds on my HP's and that's not good. Heck, this is probably faster then asking for the root password !!!
[rest of message deleted] I verified it for HP-UX 9.0X. Not only that, though. It is not sufficient to chmod u-s /bin/sysdiag. This leaves behind a bunch of programs in /usr/diag/bin which are still setuid to root and behave quite the same (i.e., they don't check for symlinks while creating 0666 log or temp files). A non-priviledged user can use any of these to create 0666 /.rhosts (or whatever else) files, with the known consequences. Proposed solution: root# chmod u-s /bin/sysdiag /usr/diag/bin/* The question in jjacobi's other mail(s) remains: is there a single source for this line of vulnerabilities? In which HP-UX releases? A. Varvitsiotis
Current thread:
- Vunerability in HP sysdiag ? John W. Jacobi (Sep 21)
- Re: Vunerability in HP sysdiag ? Shaun Lowry (Sep 25)
- Re: Vunerability in HP sysdiag ? Aggelos P. Varvitsiotis (Sep 25)
- Re: Vunerability in HP sysdiag ? Tobias Richter (Sep 25)
- NT 4.0 default permissions Dan Shearer (Sep 25)
- HP-UX SAM hole... John W. Jacobi (Sep 25)
- NT security et al *Hobbit* (Sep 25)