-----BEGIN PGP SIGNED MESSAGE-----

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Xander Jansen                               Index  : S-96-59
Distribution  : World                                       Page   : 1
Classification: External                                    Version: 1
Subject       : Vulnerabilities in HP Remote Watch Software Date   : 24-Oct-96
===============================================================================

By courtesy of AUSCERT we received information on vulnerabilities in the
Hewlett-Packard Remote Watch Software. These vulnerabilities may allow
remote as well as local users to gain root privileges on any system with
the HP Remote Watch product installed.

CERT-NL recommends to act upon the AUSCERT advisory as presented below.

===========================================================================
AA-96.07                        AUSCERT Advisory
                   Vulnerabilities in HP Remote Watch Software
                                 24 Oct 1996

Last Revised: --

- ---------------------------------------------------------------------------

AUSCERT has received information that there are vulnerabilities in the
Hewlett-Packard Remote Watch Software.  This product's primary function
is the collection of system data, which is available to both system
administrators and HP support personnel.  It can also be used to monitor
day-to-day changes in the system, informing the system administrator of
any errors and configuration changes found.

The Remote Watch software is provided as a separate product with the HP
Series 300/400/700, and as a subsystem of the HP Support Watch product on
the HP 800 Series.  Any system with the HP Remote Watch product installed
is vulnerable.

These vulnerabilities may allow remote as well as local users to gain root
privileges.

Exploit details involving these vulnerabilities have been made publicly
available.

AUSCERT recommends that sites take the actions suggested in Section 3
as soon as possible.

- ---------------------------------------------------------------------------

1.  Description

    The HP Remote Watch product is auxiliary software which is often
    installed on HP-UX 9.x systems, although not part of the default
    installation.  Remote Watch is a separate product for HP
    Series 300/400/700, and is a subsystem of the the HP Support Watch
    product for HP Series 800.

    Systems running HP-UX 10.x may have this package installed even
    though it is not supported.

    AUSCERT has been informed of two vulnerabilities in the Remote Watch
    product:

    (1)  The Remote Watch product is used for the collection of system
    data which can be made available to system administrators and HP
    support personnel.  To perform this function, it involves a daemon,
    rwdaemon, acting on information sent to a non-privileged port, 5556
    by default.  This port can be sent a string that will allow arbitrary
    commands to be executed with root privileges.

    (2)  The Remote Watch product contains modules which perform various
    disk related tasks.  These modules contain the program showdisk.
    The showdisk utility contains a vulnerability which can allow users
    to gain root privileges.

    All sites are encouraged to check their systems for this package, and
    if installed, take the actions recommended in Section 3.

    The default location for this product is /usr/remwatch/.

        % ls -ld /usr/remwatch/

2.  Impact

    Local and remote users may be able to execute arbitrary commands with
    root privileges.  This may be leveraged to gain unauthorised root
    access.

3.  Workarounds/Solution

    AUSCERT recommends that sites prevent exploitation of these
    vulnerabilities by taking the measures given in Section 3.1
    immediately.

    AUSCERT has been informed by HP that they will be issuing a security
    advisory describing these vulnerabilities.   This HP security advisory
    will also detail the current product status of Remote Watch.

3.1 Remove the HP Remote Watch Product

    AUSCERT has been informed that these vulnerabilities can only be
    removed by disabling the Remote Watch product.  Therefore, sites are
    advised to remove the Remote Watch product from their systems as soon
    as possible.  This can be accomplished by issuing the following command
    as root:

       # /usr/remwatch/bin/removeall

    NOTE:  Do not run the standard rmfn command as HP has discovered
    problems with its inability to handle programs with active executables.

    The administrator should also perform both of the following tasks:

    1.  Remove or comment out the following line from /etc/inetd.conf

       rwdaemon stream tcp nowait root /usr/remwatch/bin/rwdaemon rwdaemon

    2.  Have inetd re-read it's configuration file by issuing the following
        command:

       # inetd -c

- ---------------------------------------------------------------------------
AUSCERT thanks Hewlett-Packard for supplying test machines and technical
expertise used to produce this advisory.
- ---------------------------------------------------------------------------

==============================================================================

CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams
(FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands
   A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
   members on request.
==============================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBMm9MW2L2fnkJN/jpAQF2GQP/SG/oXVZZsSg909T76HSEQRVzztsXOVHl
Jn1GdCl7wMva5j/os3srTC8kPfp6d6RZFeyyc7HeojMGcYxBNFVff9SwrE0oyEYu
Xs8l1ZSvlm8DSQqbaF1fMOP19fdPCHzR7Rq1L5ndkZsVcu1dBl+CayCS8kEikG5T
6uHc1SWv3Vs=
=PxEv
-----END PGP SIGNATURE-----