Bugtraq mailing list archives
Re: buffer over in hp-ux 10.20 kernel
From: secure () HPCUGSYA CUP HP COM (Security Alert)
Date: Wed, 26 Mar 1997 17:26:49 PST
On 24 March '97 Darren Reed <darrenr () CYBER COM AU> wrote:
Subject: buffer over in hp-ux 10.20 kernel To: BUGTRAQ () NETSPACE ORG This is from the latest HP bug reports (i.e. there is a patch)....does anyone know if this can be used to get root or crash the box ? DarrenDocument ID: PHKL_10406
<snip> This is to clarify and summarize * which systems are affected. * what the problem was that is corrected by our patch PHKL_1040[6,7] * what the problem isn't The only operating systems affected are HP-UX 10.24 and HP-UX 10.16. This means the Virtual Vault Operating System (VVOS) on HP 9000 Series 7/800 and the Trusted Operating System (CMW) on the Series 700. This is _not_ the same as the main stream releases of HP-UX -- releases 10.01, 10.10, or 10.20. Summarization of Problem Targeted by Patch PHKL_10406 Under certain conditions, the limit on the amount of audit data that the kernel will gather from applications submitting audit records can exceed the configured limit for a period of time. The configured limit is a value, for example, 32K bytes, against which applications are measured before they submit audit records. When the limit is reached, applications will be suspended briefly by the kernel until the system's audit daemon has extracted the audit records already submitted by other applications and brought the amount of space audit records under the configured limit. Under periods of excessive load, the configured limit can be ignored resulting in the amount of audit data held by the kernel for delivery to the audit daemon to exceed the configured limit. The kernel does *not* use a buffer to store data so there is not a chance of overflowing a fixed-size memory area. Instead, memory is dynamically allocated for each audit record. Thus, the result of exceeding the configured limit is that more memory is used by the kernel for audit record storage -- this memory is eventually returned to the kernel as a side effect of the audit daemon extracting the audit information. The audit system in the affected releases is governed partially by audit configuration parameters established by the system's administrative staff. The programs that affect the audit configuration can only be executed by authorized individuals. The audit configuration is stored in each system's filesystem -- the files are protected both with Discretionary Access Control (i.e., the permission/mode bits of a file) and Mandatory Access Control (MAC). Together, these mechanisms are sufficient to protect the information from being compromised. --
Current thread:
- minor vulnerability in ELM, (continued)
- minor vulnerability in ELM Dmitry E. Kim (Mar 26)
- FreeBSD-SA-97:02: Buffer overflow in lpd Aleph One (Mar 26)
- Cisco 2509/2511 Albert Siersema (Mar 24)
- Re: Cisco 2509/2511 Dan Brown (Mar 24)
- Re: Cisco 2509/2511 Erdinc KAYA (Mar 24)
- Re: your mail Stefan Laudat (Mar 24)
- Re: your mail Jamie Rishaw (Mar 24)
- Re: your mail Illuminati Primus (Mar 24)
- ObNag: running sendmail as root Tom Guptill (Mar 24)
- buffer over in hp-ux 10.20 kernel Darren Reed (Mar 23)
- Re: buffer over in hp-ux 10.20 kernel Security Alert (Mar 26)