-----BEGIN PGP SIGNED MESSAGE-----


===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Gert Meijerink                              Index  :    S-96-71
Distribution  : World                                       Page   :
Classification: External                                    Version:
Subject       : HP-UX newgrp Buffer Overrun Vulnerability   Date   :   3-dec-96
===============================================================================

By courtesy of AUSCERT, the Australian CERT, we received information on a
vulnerability in the newgrp(1) program under HP-UX 9.x and 10.x
This information is made publicly available by
AUSCERT advisory AA-96.16, dated 3-dec-96.

CERT-NL recommends that sites apply the workaround given in Section 3.

Keywords:    newgrp

===============================================================================
AA-96.16                        AUSCERT Advisory
                      HP-UX newgrp Buffer Overrun Vulnerability
                                3 December 1996

Last Revised: --

- - ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the
newgrp(1) program under HP-UX 9.x and 10.x.

This vulnerability may allow local users to gain root privileges.

Exploit information involving this vulnerability has been made publicly
available.

Currently there are no vendor patches available that address this
vulnerability.  AUSCERT recommends that sites take the steps outlined in
section 3 as soon as possible.

This advisory will be updated as more information becomes available.
- - ---------------------------------------------------------------------------

1.  Description

    AUSCERT has received information that a vulnerability exists in the
    HP-UX newgrp(1) program.  The newgrp command is used to change a users
    group identification, and is installed by default.

    Due to insufficient bounds checking on arguments which are supplied
    by users, it is possible to overwrite the internal stack space of the
    newgrp program while it is executing.  By supplying a carefully
    designed argument to the newgrp program, intruders may be able to
    force newgrp to execute arbitrary commands.  As newgrp is setuid
    root, this may allow intruders to run arbitrary commands with root
    privileges.

    This vulnerability is known to affect both HP-UX 9.x and 10.x.

    By default, newgrp is located in /bin under HP-UX 9.x and in
    /usr/bin under HP-UX 10.x.

    Exploit information involving this vulnerability has been made
    publicly available.

2.  Impact

    Local users may gain root privileges.

3.  Workarounds/Solution

    AUSCERT recommends that sites limit the possible exploitation of this
    vulnerability by immediately removing the setuid permissions as stated
    in Section 3.1.  If the newgrp command is required, AUSCERT recommends
    the newgrp wrapper program given in Section 3.2 be installed.

    Currently there are no vendor patches available that address this
    vulnerability.  AUSCERT recommends that official vendor patches be
    installed when they are made available.

3.1 Remove setuid and non-root execute permissions

    To prevent the exploitation of the vulnerability described in the
    advisory, AUSCERT recommends that the setuid permissions be removed
    from the newgrp program immediately.  As the newgrp program will no
    longer work for non-root users, it is recommended that the execute
    permissions also be removed.  Before doing so, the original permissions
    for newgrp should be noted as they will be needed if sites choose to
    install the newgrp wrapper program (Section 3.2).

    For HP-UX 9.x:

        # ls -l /bin/newgrp
        -r-sr-xr-x   1 root     sys        16384 Dec  2 13:45 /bin/newgrp

        # chmod 500 /bin/newgrp
        # ls -l /bin/newgrp
        -r-x------   1 root     sys        16384 Dec  2 13:45 /bin/newgrp

    For HP-UX 10.x:

        # ls -l /usr/bin/newgrp
        -r-sr-xr-x   1 root     sys        12288 Dec  2 13:27 /usr/bin/newgrp

        # chmod 500 /usr/bin/newgrp
        # ls -l /usr/bin/newgrp
        -r-x------   1 root     sys        12288 Dec  2 13:27 /usr/bin/newgrp

    Note that this will remove the ability for any non-root user to run the
    newgrp program.

3.2 Install newgrp wrapper

    AUSCERT has developed a wrapper to help prevent programs from being
    exploited using the vulnerability described in this advisory.  This
    wrapper, including installation instructions, can be found at:

        ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper.c

    This replaces the newgrp program with a wrapper which checks the
    length of the command line arguments passed to it.  If an argument
    exceeds a certain predefined value (MAXARGLEN), the wrapper exits
    without executing the newgrp command.  The wrapper program can also
    be configured to syslog any failed attempts to execute newgrp with
    arguments exceeding MAXARGLEN.  For further instructions on using
    this wrapper, please read the comments at the top of overflow_wrapper.c.

    When compiling overflow_wrapper.c for use with HP-UX newgrp, AUSCERT
    recommends defining MAXARGLEN to be 16.

    The MD5 checksum for Version 1.0 of overflow_wrapper.c is:

        MD5 (overflow_wrapper.c) = f7f83af7f3f0ec1188ed26cf9280f6db

    AUSCERT recommends that until vendor patches can be installed, sites
    requiring the newgrp functionality apply this workaround.

- - ---------------------------------------------------------------------------
AUSCERT thanks Hewlett-Packard for their continued assistance and technical
expertise essential for the production of this advisory.  AUSCERT also
thanks Information Technology Services of the University of Southern
Queensland for their assistance.
- - ---------------------------------------------------------------------------
=============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams
(FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
       Attn. CERT-NL
       P.O. Box 19035
       NL - 3501 DA  UTRECHT
       The Netherlands
   A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
   members on request.
==============================================================================


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: cp850

iQCVAwUBMqSNLGL2fnkJN/jpAQFcwgQAv7vMh5ixDawVHVpnSMbLcmJUvYtY+fPm
7d9BXPbGGWGv40xrtN3iQ+WqrASXsfaRqr/WDvAKw3h6s9o0Oj+y9V0c6HrQpbt3
U2Ij25rCfn5k+ju5cyd7dU/EMglL3d3Ugfm8kWHDklFIrydt4VKzMF+rzY0gVqH4
3CYCQIaxh5Q=
=Oc82
-----END PGP SIGNATURE-----