-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Rene Ritzen Index : S-96-68 Distribution : World Page : Classification: External Version: Subject : HP-UX passwd buffer overrun vulnerability Date : 28-Nov-96 =============================================================================== By courtesy of AUSCERT, the Australian CERT, we received information on a vulnerability in the passwd(1) program under HP-UX 9.x and HP-UX 10.x. This information is made publicly available by AUSCERT advisory AA-96.13, dated 28 Nov 1996. CERT-NL recommends that sites take the steps outlined in section 3 as soon as possible. Keywords: passwd, stack space overwrite, root privilege =========================================================================== AA-96.13 AUSCERT Advisory HP-UX passwd buffer overrun vulnerability 28 November 1996 Last Revised: -- - - --------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in the passwd(1) program under HP-UX 9.x and HP-UX 10.x. This vulnerability may allow local users to gain root privileges. Exploit information involving this vulnerability has been made publicly available. Currently there are no vendor patches available that address this vulnerability. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. - - --------------------------------------------------------------------------- 1. Description AUSCERT has received information that a vulnerability exists in the HP-UX passwd(1) program. This vulnerability is known to affect HP-UX 9.x and 10.x. Due to insufficient bounds checking on arguments which are supplied by users, it is possible to overwrite the internal stack space of the passwd(1) program while it is executing. By supplying a carefully designed argument to the passwd(1) program, intruders may be able to force passwd(1) to execute arbitrary commands. As passwd(1) is setuid root, it may allow intruders to run arbitrary commands with root privileges. Exploit information involving this vulnerability has been made publicly available. 2. Impact Local users may gain root privileges. 3. Workarounds/Solution AUSCERT recommends that sites limit the possible exploitation of this vulnerability by immediately applying the workaround given in Section 3.1. Currently there are no vendor patches available that address this vulnerability. AUSCERT recommends that official vendor patches be installed when they are made available. 3.1 Install passwd wrapper AUSCERT has developed a wrapper to help prevent passwd(1) being exploited using the vulnerability described in this advisory. This wrapper, including installation instructions, can be found in Appendix A. AUSCERT recommends that until vendor patches can be installed, sites apply this workaround. ........................................................................... Appendix A passwd(1) wrapper /* * passwd_wrapper.c -- wrap HP-UX passwd to prevent a argument buffer overrun * * This wrapper is part of AUSCERT Advisory AA-96.13. The latest * version of this advisory is available from: * * ftp://ftp.auscert.org.au/pub/auscert/advisory/ * AA-96.13.HP-UX.passwd.vul * * This program is designed to be an interim relief measure * until official vendor patches are made available. * * * Author: AUSCERT * Prentice Centre * Qld. 4072. * Australia. * * auscert@auscert.org.au * * DISCLAIMER: The use of this program is at your own risk. It is * designed to combat a particular vulnerability, and may * not combat other vulnerabilities, either past or future. * The decision to use this program is yours, as are the * consequences of its use. * * This program is designed to be an interim relief measure * until appropriate patches can be obtained from your vendor. * * * Installation instructions * ~~~~~~~~~~~~~~~~~~~~~~~~~ * * 1. su to root * * 2. Determine the location of passwd. * * Under HP-UX 9.x it is /bin/passwd, under HP-UX 10.x /usr/bin/passwd. * For example purposes, /usr/bin will be used in following instructions * for the location of passwd. * * 3. Determine the permissions, owner, and group of passwd. Note this * information as it will be used later. For example: * * # ls -l /usr/bin/passwd * * 4. Copy the real passwd program to passwd.real, and then change the * permissions on it. * * # cd /usr/bin * # cp passwd passwd.real * # chmod 711 passwd.real * * 5. Edit this wrapper program and define REAL_PASSWD. This should be * the location you copied passwd to in step #4. By default, * REAL_PASSWD is defined as "/usr/bin/passwd.real". This should be * an absolute pathname. * * 6. Compile this program in a directory other than /usr/bin. * For example, to use /usr/local/src, first copy this file into * /usr/local/src. * * # cd /usr/local/src * # cc -o passwd_wrapper passwd_wrapper.c * * If you wish error messages to be logged by syslog when * arguments that may exploit the buffer overrun vulnerability * are passed to passwd, add -DSYSLOG to the compile time options. * * # cc -DSYSLOG -o passwd_wrapper passwd_wrapper.c * * 7. Copy this new wrapper program into the directory originally * containing passwd. This will replace the existing passwd program. * * Make sure this directory and its parent directories are protected so * only root is able to make changes to files in the directory. * * Use the information found in step #3 and set the same * owner, group, permissions and privileges on the new passwd program. * * For example: * * # cp passwd_wrapper /usr/bin/passwd * # cd /usr/bin * # chown root passwd * # chmod 4555 passwd * * Check that the owner, group, permissions and privileges exactly * match those noted in step #3. * * # ls -l /usr/bin/passwd * * Users will not be able to use the passwd program during the time * when the wrapper is copied into place until the chmod command * has been executed. * * 8. Check that passwd still works! * */ static char Version[] = "passwd_wrapper V1.0 28-Nov-1996"; #include #include /* * Make sure REAL_PASSWD points to the location you copied passwd to in * step #4. */ #define REAL_PASSWD "/usr/bin/passwd.real" /* * This wrapper will exit without executing REAL_PASSWD when * given any arguments which exceed MAXARGLEN. */ #define MAXARGLEN 64 main(argc,argv,envp) int argc; char *argv[]; char *envp[]; { int i; for (i=0; i MAXARGLEN) { fprintf(stderr,"You have exceeded the argument length ...Exiting\n"); #ifdef SYSLOG syslog(LOG_ERR,"Possible passwd buffer overrun attack by uid %d\n",getuid()); #endif exit(1); } } execve(REAL_PASSWD,argv,envp); perror("execve passwd failed"); exit(1); } - - --------------------------------------------------------------------------- AUSCERT thanks Hewlett-Packard for their continued assistance and technical expertise essential for the production of this advisory. AUSCERT also thanks Information Technology Services of the University of Southern Queensland for their assistance. - - --------------------------------------------------------------------------- ============================================================================= CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.i iQCVAgUBMp21TGL2fnkJN/jpAQF7FQP8Dys++yZKkUsXbE1xHgiqhF/TMzjQ+MMO Aavpioi1h+cjRfdbLGig4AP9RlIWvH0+Du1XTgPFMGCBv98dfU0XWiP2Bgi90poO FZ7FVDs0rWbbkrnprIqEZb+DS3Vz22uJX8cNsKr4VBNmkP0YBJ1p8wb66HKgVEyR TYq+tr+O4fI= =N97u -----END PGP SIGNATURE-----