Bugtraq mailing list archives
Vulnerability with Large UID's and GID's in HP-UX 10.20
From: aleph1 () DFW NET (Aleph One)
Date: Tue, 28 Jan 1997 12:45:46 -0600
-------------------------------------------------------------------------
**REVISED 01** HEWLETT-PACKARD SECURITY BULLETIN: #00041, 20 January 1997
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
-------------------------------------------------------------------------
PROBLEM: Use of user or group id's greater than 60000
PLATFORM: HP 9000 series 700/800 systems running version 10.20
DAMAGE: Increase in capability and unauthorized access
SOLUTION: **REVISED 01**
Install PHSS_9343, PHNE_9377, and PHNE_9504. Then examine
the system for suid files that may not be safe for a large
uid/gid system. Any such files must be certified by their
providers as safe for use in large uid/gid system.
AVAILABILITY: PHSS_9343, PHNE_9377, and PHNE_9504 are available now.
CHANGE SUMMARY: Patches are now available.
-------------------------------------------------------------------------
I.
A. Background
Large user and group id's are new features of HP-UX revision 10.20.
Requirements for a program to work in a large uid/gid system are
detailed in the 10.20 Release Notes. In particular the uid or gid
must not be stored in a short int. Doing so in a suid program
can result in an increase in capability, including root access.
The suid files in the following filesets have been examined and
are free of the security vulnerability (after installing the
patches listed above). This only implies that the files are free
from the vulnerability. It does not necessarily mean that the
programs in that fileset will work properly in a large uid/gid
system.
100VG-RUN, AB-NET, AB-RUN, AB-SUPPORT, ACCOUNTNG, AGRM, ASU,
AUDIO-SRV, CDE-DTTERM, CDE-RUN, CMDS-AUX, CMDS-MIN,
DCE-CORE-RUN, DDX-FREEDOM, DVC-SRV, DVC-SRV, EDITORS,
FAX-SER-CMN, FCEISA-RUN, FCHSC-RUN, FDDI6-RUN, FTAM, GLANCE,
GLANCE, GPM, HPNP-RUN, HPNP-RUN, HPPAK, HPPB100BT-RUN,
INETSVCS-RUN, LAN-RUN, LMU, LP-SPOOL, LVM-RUN, LVM-RUN,
MAILERS, MAPCHAN-CMD, MCSE-CORE, MPOWER-CLIENT, NET-RUN,
NFS-CLIENT, NIS-CLIENT, OM-ADM, OM-BB, OM-CCMOB, OM-CORE,
OM-DESK, OM-DSYNC, OM-FAX, OM-LC, OM-NOTES, OM-P7,
OM-PMOVER, OM-RC, OM-SMS, OM-SNOOP, OM-UNIX, OM-X400,
OMNI-CORE, OTS-RUN, OVNNM-RUN, PHIGS-RUN, PHIGS-RUN,
PR-INFORMIX, PRM-RUN, RUPDATE, SAM, SCAN-CFG, SD-CMDS,
SLIP-RUN, SNAP-COMMON, SNAP-RJE, SNAP2-CORE, SNAP2-RJE,
STAR-RUN, SYS-ADMIN, SYSCOM, TERM-MNGR-MIN, TOKEN1-RUN,
TOKEN2-RUN, TOKEN3-RUN, UPG-ANALYSIS, UUCP, UX-CORE,
VUE-RUN, WTNETSCAPE2-RU, X11-RUN-CL, X11-RUN-CTRB, X400-RUN
Note: The fact that a fileset is missing from the list above
does not mean it is suspect. It may mean the fileset contains
no suid files. The script below can be used to identify suid
files that are not contained in known safe filesets.
B. Fixing the problem
Install the patches listed above and examine all suid files.
The following script will identify suspect suid files.
The provider of any suspect file should be contacted to confirm
that the program is safe for use in a large uid/gid system.
Note: The script was tested on a system with one file system.
If you have a different configuration (nfs mounted file systems,
for example), you may want to modify the find(1) command.
Note: Some suid files may be listed under the fileset of
a patch as well as under the primary fileset. In that case:
1. Use swlist to find all the instances of each file.
For example:
# swlist -l file | grep vueaction
PHSS_8537.PHSS_8537: /usr/vue/bin/vueaction
VUE.VUE-MAN: /usr/share/man/man1.Z/vueaction.1
VUE.VUE-RUN: /usr/vue/bin/vueaction
# swlist -l file | grep vuehello
...
2. Verify that the primary (non-patch) fileset is on the
list of large uid/gid safe filesets. In this case
VUE-RUN is on the list.
3. Add the patch fileset (PHSS_8537 in this example) to the
list of safe filesets in the script below. For example:
-e PHSS_8537: \
C. Recommended solution
#!/bin/sh
echo "###############################################################"
echo "# #"
echo "# Finds suid files that are suspect in a large uid/gid #"
echo "# system. Those would be any suid file not in one #"
echo "# of the following filesets: #"
echo "# #"
echo "#100VG-RUN, AB-NET, AB-RUN, AB-SUPPORT, ACCOUNTNG, AGRM, ASU, #"
echo "#AUDIO-SRV, CDE-DTTERM, CDE-RUN, CMDS-AUX, CMDS-MIN, #"
echo "#DCE-CORE-RUN, DDX-FREEDOM, DVC-SRV, DVC-SRV, EDITORS, #"
echo "#FAX-SER-CMN, FCEISA-RUN, FCHSC-RUN, FDDI6-RUN, FTAM, GLANCE, #"
echo "#GLANCE, GPM, HPNP-RUN, HPNP-RUN, HPPAK, HPPB100BT-RUN, #"
echo "#INETSVCS-RUN, LAN-RUN, LMU, LP-SPOOL, LVM-RUN, LVM-RUN, #"
echo "#MAILERS, MAPCHAN-CMD, MCSE-CORE, MPOWER-CLIENT, NET-RUN, #"
echo "#NFS-CLIENT, NIS-CLIENT, OM-ADM, OM-BB, OM-CCMOB, OM-CORE, #"
echo "#OM-DESK, OM-DSYNC, OM-FAX, OM-LC, OM-NOTES, OM-P7, #"
echo "#OM-PMOVER, OM-RC, OM-SMS, OM-SNOOP, OM-UNIX, OM-X400, #"
echo "#OMNI-CORE, OTS-RUN, OVNNM-RUN, PHIGS-RUN, PHIGS-RUN, #"
echo "#PR-INFORMIX, PRM-RUN, RUPDATE, SAM, SCAN-CFG, SD-CMDS, #"
echo "#SLIP-RUN, SNAP-COMMON, SNAP-RJE, SNAP2-CORE, SNAP2-RJE, #"
echo "#STAR-RUN, SYS-ADMIN, SYSCOM, TERM-MNGR-MIN, TOKEN1-RUN, #"
echo "#TOKEN2-RUN, TOKEN3-RUN, UPG-ANALYSIS, UUCP, UX-CORE, #"
echo "#VUE-RUN, WTNETSCAPE2-RU, X11-RUN-CL, X11-RUN-CTRB, X400-RUN #"
echo "# #"
echo "# Note: This assumes that the patches listed in #"
echo "# HP Security Bulletin 41 are installed. #"
echo "# #"
echo "# As you qualify other suid files you may want to #"
echo "# modify this script. #"
echo "# #"
echo "###############################################################"
td=/tmp/suid_temp
mkdir $td
##########################################################
# find all suid files
##########################################################
echo find all suid files:
echo "find / -type f -perm -u+s -print >$td/suid_files"
find / -type f -perm -u+s -print >$td/suid_files
##########################################################
# list all files in all installed filesets
##########################################################
echo list all files in all installed filesets:
echo "swlist -l file >$td/swlist.file"
swlist -l file >$td/swlist.file
##########################################################
# extract the suid files from the list all files
# in all installed filesets
##########################################################
echo find suspect suid files
grep -Ff $td/suid_files $td/swlist.file > $td/swlist.suid
##########################################################
# make a list of all the filesets containing suid files
##########################################################
awk '{print $1}' $td/swlist.suid | cut -f 2 -d\. \
| sort -u >$td/suid_filesets
##########################################################
# remove from the list all the filesets known to be
# large uid/gid safe
##########################################################
grep -ve 100VG-RUN: -e AB-NET: -e AB-RUN: -e AB-SUPPORT: \
-e ACCOUNTNG: -e AGRM: -e ASU: -e AUDIO-SRV: -e CDE-DTTERM: \
-e CDE-RUN: -e CMDS-AUX: -e CMDS-MIN: -e DCE-CORE-RUN: \
-e DDX-FREEDOM: -e DVC-SRV: -e DVC-SRV: -e EDITORS: \
-e FAX-SER-CMN: -e FCEISA-RUN: -e FCHSC-RUN: -e FDDI6-RUN: \
-e FTAM: -e GLANCE: -e GLANCE: -e GPM: -e HPNP-RUN: \
-e HPNP-RUN: -e HPPAK: -e HPPB100BT-RUN: -e INETSVCS-RUN: \
-e LAN-RUN: -e LMU: -e LP-SPOOL: -e LVM-RUN: -e LVM-RUN: \
-e MAILERS: -e MAPCHAN-CMD: -e MCSE-CORE: \
-e MPOWER-CLIENT: -e NET-RUN: -e NFS-CLIENT: -e NIS-CLIENT: \
-e OM-ADM: -e OM-BB: -e OM-CCMOB: -e OM-CORE: \
-e OM-DESK: -e OM-DSYNC: -e OM-FAX: -e OM-LC: -e OM-NOTES: \
-e OM-P7: -e OM-PMOVER: -e OM-RC: -e OM-SMS: \
-e OM-SNOOP: -e OM-UNIX: -e OM-X400: -e OMNI-CORE: \
-e OTS-RUN: -e OVNNM-RUN: -e PHIGS-RUN: -e PHIGS-RUN: \
-e PR-INFORMIX: -e PRM-RUN: -e RUPDATE: -e SAM: \
-e SCAN-CFG: -e SD-CMDS: -e SLIP-RUN: -e SNAP-COMMON: \
-e SNAP-RJE: -e SNAP2-CORE: -e SNAP2-RJE: -e STAR-RUN: \
-e SYS-ADMIN: -e SYSCOM: -e TERM-MNGR-MIN: -e TOKEN1-RUN: -e UUCP: \
-e TOKEN2-RUN: -e TOKEN3-RUN: -e UPG-ANALYSIS: \
-e UX-CORE: -e VUE-RUN: -e WTNETSCAPE2-RU: -e X11-RUN-CL: \
-e X11-RUN-CTRB: -e X400-RUN: \
$td/suid_filesets >$td/suid_suspect_filesets
##########################################################
# make a list of all the files in the suspect filesets
##########################################################
grep -Ff $td/suid_suspect_filesets $td/swlist.file \
>$td/suid_suspect_filesets_files
##########################################################
# extract just the suid files from the suspect filesets
##########################################################
echo "The following suid files are suspect in a large uid/gid system:" \
>$td/suid_suspect_files
echo "Fileset: File">>$td/suid_suspect_files
echo "-------------------------------------------" >>$td/suid_suspect_files
grep -Ff $td/suid_files $td/suid_suspect_filesets_files \
>$td/suid_suspect_files
##########################################################
# suid files that are not in filesets are suspect
##########################################################
for i in `cat $td/suid_files`
do
count=`grep -c $i $td/swlist.file`
if [ $count -eq 0 ]
then
echo "not_in_a_fileset: $i" >>$td/suid_suspect_files
fi
done
cat $td/suid_suspect_files
echo "The list of suspect suid files is in $td/suid_suspect_files"
exit
##################### end ###########################################
D. Impact of the patch
Installs large uid/gid safe programs.
E. To subscribe to automatically receive future NEW HP
Security Bulletins from the HP SupportLine Digest service via
electronic mail, do the following:
1) From your Web browser, access the URL:
http://us-support.external.hp.com (US,Canada, Asia-Pacific,
and Latin-America)
http://europe-support.external.hp.com (Europe)
2) On the HP Electronic Support Center main screen, select
the hyperlink "Support Information Digests".
3) On the "Welcome to HP's Support Information Digests" screen,
under the heading "Register Now", select the appropriate
hyperlink "Americas and Asia-Pacific", or "Europe".
4) On the "New User Registration" screen, fill in the fields
for the User Information and Password and then select the
button labeled "Submit New User".
5) On the "User ID Assigned" screen, select the hyperlink
"Support Information Digests".
**Note what your assigned user ID and password are for future
reference.
6) You should now be on the "HP Support Information Digests
Main" screen. You might want to verify that your email address
is correct as displayed on the screen. From this screen, you
may also view/subscribe to the digests, including the security
bulletins digest.
To get a patch matrix of current HP-UX and BLS security
patches referenced by either Security Bulletin or Platform/OS,
click on following screens in order:
Technical Knowledge Database
Browse Security Bulletins
Security Bulletins Archive
HP-UX Security Patch Matrix
F. To report new security vulnerabilities, send email to
security-alert () hp com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert () hp com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
________________________________________________________________________
Current thread:
- L0pht Advisory: Solaris libc - getopt(3) Jonathan Wilkins (Jan 26)
- Re: L0pht Advisory: Solaris libc - getopt(3) Adam Morrison (Jan 28)
- Vulnerability with Large UID's and GID's in HP-UX 10.20 Aleph One (Jan 28)
- Pilot Private Data Not So Private Aleph One (Jan 28)