Fix for HP-UX automountd/autofs exploit (fwd)

[dsiebert () ENGINEERING UIOWA EDU (Doug Siebert)]

I sent this out on Christmas Eve, but it doesn't seem to have gotten
through, so I'm trying again...

I've been meaning to send this out for a while, but just didn't get
around to cleaning it up enough so that it could be run as a simple
script on people's systems.  I decided to do it now as a Christmas
present to everyone who has been waiting far too long for HP to put
out the patches to fix the automountd/autofs hole.  I have no idea
why HP, SGI, IBM (anyone else affected?) are taking so long to produce
this simple fix, but whatever.  Here is a fix that will work on HP-UX
10.20 and 11.0 (I haven't tested it on 11.0, but it should work)
systems to block the automountd hole, so long as the loss of the
executable map capability isn't a problem for you.  See the comments
in the script below which implements the fix.  Please remember that if
you install a patch that patches automountd, this fix will be wiped
out, and you'll need to re-run this script to regain the protection.
You will need either the HP ANSI C compiler or gcc for the script to
work, the HP base/bundled C compiler can't generate position independant
code.

Note that while the same technique may appear to be useful to protect
against buffer overflow attacks (by taking over all the exec* functions
and system(), in addition to just popen()) it isn't, because while you
can protect against the traditional script kiddie attack using the
regular /bin/sh shellcode, it'd just require a small bit of work to
change the assembly to do something like say open /etc/passwd and add a
nice uid 0 account, etc.  Once someone published that assembly code
the "fix" would become useless.

HP is adding/has added executable stack protection to HP-UX 11, and it
is quite nice as it is implemented on a per binary basis.  Just look at
the man page for chatr(1) on a recently patched HP-UX 11 system.  I
don't know if all the bits required for this to work are operational
yet, but I remember hearing that the next release of HP-UX 11 (due next
spring I believe) includes "buffer overflow protection".  Not that this
would help the automountd hole but most of the holes nowadays are buffer
overflows so it'll be nice that we'll be able to make them pretty much a
thing of the past on HP-UX soon enough, and without the annoying
tradeoffs that the Solaris/Linux style global kernel tunable require.

As always, no support, warranties, guarantees that this doesn't allow
easy root access on your system to the world...don't call me I'll call
you, etc.

Merry Christmas, Chanukah, Ramadan, Festivus, whatever you celebrate :)

#!/usr/bin/sh
#
# This closes the HP automountd/autofs hole by creating a libc stub that takes
# over the libc popen(3) function.  HP's automountd uses popen to implement
# executable maps, which is a new feature of autofs versus the old style
# automount, but is also the way this hole is exploited.  Even after it is
# fixed, if you don't use executable maps you will probably sleep better if you
# know executable maps have been completely disabled.  Obviously if you wish to
# make use of executable maps, this fix is no good to you, and you'll have to
# wait for an official patch from HP, and then keep your fingers crossed and
# hope there isn't another hole waiting to be exploited.
#
# Douglas Siebert 10/23/99 (packaged as a script 12/24/99)
#

# Check that you are root
if [ `whoami` != "root" ]; then
  echo "Must be root to run this script"
  exit 1
fi

# Change to autofs directory for this script
cd /usr/lib/netsvc/fs/autofs
umask 077

# Create libc stub
cat > libc.c << __EOF__
#include <stdio.h>
#include <syslog.h>

FILE * popen(const char *command, const char *type)
{
  syslog(LOG_ALERT, "Exploit attempted on automountd/autofs hole");
  return(NULL);
}
__EOF__

# Compile it with cc or gcc (hopefully you've got one of them)
/usr/bin/cc -c libc.c -Ae +z || gcc -c libc.c -fpic || NOCC=1
if [ "$NOCC" ]; then
  echo "You must have the HP ANSI/C or gcc compiler on your system"
  rm -f libc.c
  exit 1
fi
rm -f libc.c

# Create the stub libc with the real libc as a dependency (HP hates when you
# do this)  I haven't yet tested this on HP-UX 11, but it should work.
if [ -x /usr/lib/libc.2 ]; then
  rm -f libc.2
  /usr/bin/ld -b -o libc.2 libc.o /usr/lib/libc.2
  chmod 555 libc.2
else
  rm -f libc.1
  /usr/bin/ld -b -o libc.1 libc.o /usr/lib/libc.1
  chmod 555 libc.1
fi
rm -f libc.o

# Figure out where automountd is (there are at least two possibilities -- the
# latest HP-UX 10.20 patches moved some stuff around and I don't know if the
# automountd binary was in /usr/sbin before or not.  But in HP-UX 11 it has
# moved to /usr/lib/netsvc/fs/autofs.  Hopefully those are the only possible
# locations)
if [ -x /usr/sbin/automountd ]; then
  AUTOMOUNTD_DIR=/usr/sbin
elif [ -x /usr/lib/netsvc/fs/autofs/automountd ]; then
  AUTOMOUNTD_DIR=/usr/lib/netsvc/fs/autofs
fi

# Save unmodified automountd binary
mv -f $AUTOMOUNTD_DIR/automountd $AUTOMOUNTD_DIR/automountd.ORIG

# Set up new one to obey SHLIB_PATH
cp -fp $AUTOMOUNTD_DIR/automountd.ORIG $AUTOMOUNTD_DIR/automountd.mod
chatr +s enable $AUTOMOUNTD_DIR/automountd.mod >/dev/null

# Create shell script to replace automountd
cat > $AUTOMOUNTD_DIR/automountd << __EOF__
#!/usr/bin/sh
export SHLIB_PATH=/usr/lib/netsvc/fs/autofs
exec $AUTOMOUNTD_DIR/automountd.mod "\$@"
__EOF__
chmod 555 $AUTOMOUNTD_DIR/automountd

# Assume that if new libc.x exists, we succeeded...
if [ -x libc.1 -o -x libc.2 ]; then
  echo "Success!  You must now reboot if you have autofs running"
  exit 0
else
  echo "Something went wrong, but I have no idea what"
  exit 1
fi

--
Douglas Siebert                Director of Computing Facilities
douglas-siebert () uiowa edu      Division of Mathematical Sciences, U of Iowa

I'm not too interested in caller ID.  But caller IQ, I'll pay a lot for that!