Bugtraq mailing list archives

buffer over in hp-ux 10.20 kernel

From: darrenr () CYBER COM AU (Darren Reed)
Date: Mon, 24 Mar 1997 11:33:59 +1100


This is from the latest HP bug reports (i.e. there is a patch)....does anyone
know if this can be used to get root or crash the box ?

Darren

Document ID:  PHKL_10406
Date Loaded:  970320
      Title:  s800 10.24 (VVOS) kernel audit buffer overflow

Patch Name:  PHKL_10406

Patch Description: s800 10.24 (VVOS) kernel audit buffer overflow

Creation Date: 97/03/13

Post Date:  97/03/19

Hardware Platforms - OS Releases:
        s800: 10.24

Products: N/A

Filesets:
        VirtualVaultOS.VVOS-KRN

Automatic Reboot?: Yes

Status: General Release

Critical: No

Path Name:  /hp-ux_patches/s800/10.X/PHKL_10406

Symptoms:
        PHKL_10406:
        The audit statistics available from auditcmd -c
        will show that the largest amount of audit buffer
        space used is greater than the configured limit.

Defect Description:
        PHKL_10406:
        Under heavy system load with auditing enabled,
        the kernel buffer used to hold audit records queued
        for delivery to the audit daemon can contain more
        audit data than the configured size for the audit
        buffer.

SR:
        4701349381

Patch Files:
        /usr/conf/lib/libsec.a(sec_audit.o)
        /usr/conf/lib/libsec.a(audit_dev.o)

what(1) Output:
        /usr/conf/lib/libsec.a(audit_dev.o):
                kern/sec/audit_dev.c, sysaudit, vvos_davis, davis11
                        $Date: 97/03/13 18:49:34 $ $Revision: 1.37 P
                        ATCH_10.24 (PHKL_10406) $
        /usr/conf/lib/libsec.a(sec_audit.o):
                kern/sec/sec_audit.c, sysaudit, vvos_davis, davis11
                        $Date: 97/03/13 18:49:34 $ $Revision: 1.36 P
                        ATCH_10.24 (PHKL_10406) $

cksum(1) Output:
        3353318163 15680 /usr/conf/lib/libsec.a(audit_dev.o)
        3404447330 19952 /usr/conf/lib/libsec.a(sec_audit.o)

Patch Conflicts: None

Patch Dependencies:  None

Hardware Dependencies:  None

Other Dependencies:  None

Supersedes:  None

Equivalent Patches:
        PHKL_10407:
        s700: 10.24

Patch Package Size:  90 Kbytes

Installation Instructions:
        Please review all instructions and the Hewlett-Packard
        SupportLine User Guide or your Hewlett-Packard support terms
        and conditions for precautions, scope of license,
        restrictions, and, limitation of liability and warranties,
        before installing this patch.
        ------------------------------------------------------------
        1. Back up your system before installing a patch.

        2. Login as root.

        3. Copy the patch to the /tmp directory.

        4. Move to the /tmp directory and unshar the patch:

                cd /tmp
                sh PHKL_10406

        5a. For a standalone system, run swinstall to install the
            patch:

                swinstall -x autoreboot=true -x match_target=true \
                        -s /tmp/PHKL_10406.depot

        5b. For a homogeneous NFS Diskless cluster run swcluster on the
            server to install the patch on the server and the clients:

                swcluster -i -b

            This will invoke swcluster in the interactive mode and
            force all clients to be shut down.

            WARNING: All cluster clients must be shut down prior to the
                     patch installation.  Installing the patch while the
                     clients are booted is unsupported and can lead to
                     serious problems.

            The swcluster command will invoke an swinstall session in which
            you must specify:

                alternate root path  -  default is /export/shared_root/OS_700
                source depot path    -  /tmp/PHKL_10406.depot

            To complete the installation, select the patch by choosing
            "Actions -> Match What Target Has" and then "Actions -> Install"
            from the Menubar.

        5c. For a heterogeneous NFS Diskless cluster:

                - run swinstall on the server as in step 5a to install
                  the patch on the cluster server.

                - run swcluster on the server as in step 5b to install
                  the patch on the cluster clients.

        By default swinstall will archive the original software in
        /var/adm/sw/patch/PHKL_10406.  If you do not wish to retain a
        copy of the original software, you can create an empty file
        named /var/adm/sw/patch/PATCH_NOSAVE.

        Warning: If this file exists when a patch is installed, the
                 patch cannot be deinstalled.  Please be careful
                 when using this feature.

        It is recommended that you move the PHKL_10406.text file to
        /var/adm/sw/patch for future reference.

        To put this patch on a magnetic tape and install from the
        tape drive, use the command:

                dd if=/tmp/PHKL_10406.depot of=/dev/rmt/0m bs=2k

Special Installation Instructions:  None

Current thread:

Reported Sendmail 8.8.4 Exploit, (continued)
- - - Reported Sendmail 8.8.4 Exploit gshapiro () SENDMAIL ORG (Mar 25)
    - minor vulnerability in ELM Dmitry E. Kim (Mar 26)
    - FreeBSD-SA-97:02: Buffer overflow in lpd Aleph One (Mar 26)
  - Cisco 2509/2511 Albert Siersema (Mar 24)
    - Re: Cisco 2509/2511 Dan Brown (Mar 24)
    - Re: Cisco 2509/2511 Erdinc KAYA (Mar 24)
- Re: your mail Stefan Laudat (Mar 24)
- Re: your mail Jamie Rishaw (Mar 24)
  - Re: your mail Illuminati Primus (Mar 24)
  - ObNag: running sendmail as root Tom Guptill (Mar 24)
- buffer over in hp-ux 10.20 kernel Darren Reed (Mar 23)
- Re: buffer over in hp-ux 10.20 kernel Security Alert (Mar 26)