-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Don Stikvoort Index : S-96-63 Distribution : World Page : 1 Classification: External Version: 1 Subject : HP-UX SYSDIAG Vulnerability Date : 18-Nov-96 =============================================================================== By courtesy of AUSCERT we received information on a vulnerability in the HP-UX SYSDIAG Online Diagnostics Subsystem. CERT-NL recommends to apply the workaround as recommended. Official HP patches are not available yet. ============================================================================== AA-96.09 AUSCERT Advisory HP-UX SYSDIAG Online Diagnostics Subsystem Vulnerability 12 November 1996 Last Revised: -- - --------------------------------------------------------------------------- AUSCERT has received information that there is a vulnerability in the SYSDIAG Online Diagnostics Subsystem supplied by Hewlett Packard. This vulnerability is present under both HP-UX 9.x and 10.x This vulnerability may allow local users to gain root privileges. Exploit details involving this vulnerability have been widely distributed. Official patches may be released by Hewlett Packard to address this vulnerability in the future. Until patches are made available, AUSCERT recommends that sites take the actions suggested in Section 3.1. This advisory will be updated when vendor patches are made available. - --------------------------------------------------------------------------- 1. Description The HP SYSDIAG Online Diagnostics Subsystem enables users to run online diagnostic programs to diagnose suspected system hardware problems. Some programs supplied with the SYSDIAG package create files in an insecure manner. As these programs execute with root privileges, it is possible to create arbitrary files on the system. The SYSDIAG subsystem may be installed under both HP-UX 9.x and 10.x. The default location of the programs used by the SYSDIAG package differs between the 9.x and 10.x releases of the operating system. To determine if the SYSDIAG programs are installed, sites should check for the presence of the program "sysdiag". Under HP-UX 9.x: % ls -l /bin/sysdiag Under HP-UX 10.x: % ls -l /usr/sbin/sysdiag Individual sites are encouraged to check their systems for the SYSDIAG package, and if installed, take the actions recommended in Section 3. 2. Impact Local users may be able to create arbitrary files on the system. This may be leveraged to gain root privileges. 3. Workarounds/Solution AUSCERT recommends that sites prevent the possible exploitation of this vulnerability by immediately applying the workaround given in Section 3.1. Currently there are no vendor patches available that address this vulnerability. AUSCERT recommends that official vendor patches be installed when they are made available. 3.1 Remove setuid permissions Until official vendor patches are made available, sites should remove the setuid root permissions from the vulnerable programs. To do this, the following commands should be run as root: Under HP-UX 9.x # chmod u-s /bin/sysdiag # chmod u-s /usr/diag/bin/* Under HP-UX 10.x # chmod u-s /usr/sbin/sysdiag # chmod u-s /usr/sbin/diag/* Note that this will restrict non-root users from using the SYSDIAG subsystem diagnostic tools. When using any of the SYSDIAG subsystem programs as root, system administrators should ensure that they do not use the "outfile" sub-command to write files in world writable directories. Writing files in such directories may leave the system open to exploitation of this vulnerability. - --------------------------------------------------------------------------- AUSCERT thanks Hewlett-Packard for their continued assistance and technical expertise essential for the production of this advisory. Thanks also to Viviani Paz (The University of Queensland) for her assistance in this matter. - --------------------------------------------------------------------------- ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: cp850 iQCVAwUBMpAjHmL2fnkJN/jpAQHFpgQAtQNtua6rVfH3h6DwwbX14Nj/uARGyhdr C0Q+6kb5FKbZgoHN37JgOeWfcGbDgXalw3bJrDLSLqAV4wdiUl7hiwjXcQjrxqQK NchNGQ0PjfY8ccRkoR16gAWBXYezLlauKXuVP3xIphkO/mCFRaygKMPoInIlHbdU 9ZXrljAWKZc= =CZ+M -----END PGP SIGNATURE-----