-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN HP-UX_suid_Vulnerabilities November 4, 1996 16:00 GMT Number H-03 ______________________________________________________________________________ PROBLEM: Several HP-UX system utilities are suid root and when run, they open and write log or other files to disk. Using this feature, normal users can add or change privileged system files that then compromise system security and allow those users to gain root access or to destroy files. The following system utilities are known to have this problem. /usr/diag/bin/DUI (/etc/sysdiag) /usr/perf/bin/glance /etc/subnetconfig Remote Watch /usr/remwatch/* /usr/bin/ppl /usr/sbin/swinstall /usr/bin/X11/gwind (called by: xwcreate and xwdestroy) PLATFORM: HP-UX all versions DAMAGE: Unprivileged users can get root or destroy files. SOLUTION: Remove the indicated programs or packages or turn off the suid bit on the indicated programs until a patch is available. ______________________________________________________________________________ VULNERABILITY Using these vulnerabilities, any normal user can compromise ASSESSMENT: security and get root access to a system or can destroy system owned files. ______________________________________________________________________________ HP-UX suid Vulnerabilities CIAC has learned that attack scripts are circulating around the Internet that show how to compromise system security using the listed system programs. These scripts allow a normal user to gain root access or to destroy system owned files. Several of the vulnerabilities exploited by these scripts have already been patched by existing Hewlett Packard (HP) security patches, but it has come to our attention that many installed systems have not been patched. Users should realize that just because you have installed a new HP computer or upgraded the operating system on an existing one does not mean that all the relevant security patches have been installed. If you are using an HP-UX system, you are advised to check the HP Security Advisories at http://us.external.hp.com for ones that apply to your particular system. You should then download and install any indicated security patches before putting your machine into production. Be sure to check the patch itself to see if the patch only applies to an earlier version of HP-UX or if the patch has been updated to be applied to the later version as well. This update may not be indicated in the security bulletin. This bulletin lists the programs being exploited and the HP security bulletins that describe the patches required to correct the indicated problems. For those problems that do not have a bulletin or patch, this bulletin contains some workarounds to protect a system until patches are available from HP. CIAC will distribute notices of new patches from HP when they become available. Note that we do not expect to see patches for any of the older products that have been superseded by newer ones. Several of the problems described here apply to diagnostics and system management tools that most normal users will never use. All such tools are included in a newly installed system, but can be removed after the installation has completed if they are not needed, returning a significant amount of disk space to the user. If you don't need a package, delete it. If you find you need it in the future, you can always reinstall it. The System Administration Manager (SAM) program is very useful in this regard as it can remove or install complete filesets. ______________________________________________________________________________ INDICATIONS OF A POSSIBLE COMPROMISE One of the most common indications that a machine has been compromised by these or similar vulnerabilities are links from a world writable directory (such as /tmp) to a system file (such as /.rhosts) in a directory requiring root privilege to write or create files there, and /.rhosts files with ++ at the beginning of any line. If you should find a similar link or file, your system has likely been compromised and should be thoroughly checked for other traces of the intruder. For more information on the use of the .rhosts file, see the hosts.equiv man page on your system. ______________________________________________________________________________ PROBLEM The problem is that the listed programs do a suid to root allowing them to run with root privilege even though they were started by a normal user. They then create or open files without first checking the type and ownership of those files. By careful manipulation of the name, location and contents of these files, system files can be changed to give a normal user root access or system owned files can be damaged or deleted. ______________________________________________________________________________ SOLUTION For those packages where a patch exists, the patch should be obtained from HP and installed on the system. For problems where a patch does not exist yet, the files or packages in question should be either removed or the permissions changed so that only the root user can run them. By far, the best solution to these problems is to remove the packages in question. Most of the packages are for diagnostics or system administration purposes and are not needed by a normal user. If they are needed, the permissions should be changed to only allow the owner to run them, and to clear the suid bit that permits them to run as root. The ownership should also be checked to insure they are owned by root. /usr/diag/bin/DUI (called by /bin/sysdiag) - ------------------------------------------ The sysdiag program is the interface to the online diagnostics subsystem. When started, this program runs /usr/diag/bin/DUI which is suid root. If you do not need to do system diagnostics, you should remove this whole package. The package includes all the files in /usr/diag/bin and the file /bin/sysdiag. If you need to keep this package, you should change the permissions on all the files in /usr/diag/bin and the file /bin/sysdiag to owner only access and clear the suid bit. Check that all the files are owned by root. Normal users will no longer be able to use sysdiag but the system manager will be able to do so when logged in as root. /usr/perf/bin/glance - -------------------- Glance Plus is a performance monitor that is included in most HP-UX system installations as a demo package or can be purchased separately. If you do not need to do system performance monitoring, you should remove this whole package which includes all the files in /usr/perf. An earlier problem with Glance was covered in the HP Security Advisory 9405-011 which describes a patch that updates Glance to version B.09.01 (700-800) or A.09.07 (300, 400). The current vulnerability is not fixed by these updates. If you need to keep this package, you should change the permissions of all the files in /usr/perf to owner only access and clear the suid bit. Check that the files are owned by root. Normal users will no longer be able to use this program but the system manager will be able to do so when logged in as root. /etc/subnetconfig - ----------------- The subnetconfig batch file is for setting the subnet behavior of a system. Only root can actually change the behavior, but a normal user is able to view the current setting by running the program without arguments. A previous problem with subnetconfig was described in HP Security Advisory 9402-003, but the patch file only applies to HP-UX versions 9.0 and 9.01. The current problem is not fixed by that patch. A workaround for this problem is to change the permissions of /etc/subnetconfig to owner only access, clear the suid bit and check that /etc/subnetconfig is owned by root. Normal users will no longer be able to view the current setting but the system manager will still be able to change the setting when logged in as root. /usr/remwatch/* (Remote Watch) - --------------- The Remote Watch package is a system management tool whose capabilities have been largely incorporated in the System Administration Manager (SAM). These files can not be patched but should be removed as recommended by in HP Security Advisory #9610-039 included at the end of this advisory. /usr/bin/ppl - ------------ The ppl application is HP's version of SLIP, a Point-To-Point Serial Linking protocol for TCP/IP. To protect a system, the /usr/bin/ppl file should be changed to owner only access and the suid bit should be cleared. The ppl program will not run unless it is has root privileges, so normal users will not be able to use it. This will cause a problem for normal users that are using SLIP to gain access to a machine. If ppl is needed for normal operations, sites will have to evaluate the risk on a case by case basis until a patch is available /usr/sbin/swinstall - ------------------- The swinstall program is a software installer included in most HP-UX 10.x systems to speed software installations. When not being used, the program should be either removed or disabled to prevent it from being used for malicious purposes. To disable the program, change the permissions to owner only access and clear the suid bit. Insure that swinstall is owned by root. Only root will then be able to do program installations. /usr/bin/X11/gwind (called by: xwcreate and xwdestroy) - ------------------ The gwind program is part of the x-windows system and is called by the xwcreate and xwdestroy programs to create or destroy a new x-window. The problem with gwind is described in HP Security Bulletin 9410-018. That bulletin indicates that patch PHSS_4832 is needed for all systems, but that patch has been superseded by the PHSS_5140 patch. Users of all HP-UX 9.x systems should download and install PHSS_5140. ______________________________________________________________________________ DISABLING NONUSER FILE ACCESS In the event that there is no patch available for a particular package and you need to keep the package on your system, you must change the file access so that only the owner can run it and that the owner is root. To do so, you must change the file permissions to owner only access,clear the suid bit, and check that the owner is root. Changing File Access To Owner Only And Clearing suid - ---------------------------------------------------- To check the permissions and owner of a file, list the file with ls using the -l option. MyMachine> ls -l /usr/diag/bin/DUI - -r-sr-xr-x 1 root bin 14608 Oct 25 1995 DUI The list of letters on the left shows that the file has read (r) and execute (x) access for owner, group and world. Note that the fourth character position from the left is an s instead of an x. That letter indicates that the suid bit is set and the program can change its uid to root. The owner of the file is root as it should be. To change the access to owner only and clear the suit bit, logon as root and use the chmod command as follows. MyMachine> chmod 0544 /usr/diag/bin/DUI If you again list the file, you see that while everyone can still see the file, only the owner can execute it and the suid bit is no longer set (the s changed to x). MyMachine> ls -l /usr/diag/bin/DUI - -r-xr--r-- 1 root bin 14608 Oct 25 1995 DUI ______________________________________________________________________________ HP Security Advisory On Remote Watch ============================================================================= - ------------------------------------------------------------------------- HEWLETT-PACKARD SECURITY ADVISORY: #000039, 24 October 1996 - ------------------------------------------------------------------------- Hewlett-Packard recommends that the information in the following Security Advisory should be acted upon as soon as possible. Hewlett- Packard will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Advisory as soon as possible. Permission is granted for copying and circulating this advisory to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the advisory is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. _______________________________________________________________________ PROBLEM: Vulnerability in HP Remote Watch in 9.X releases of HP-UX PLATFORM: HP 9000 series 300/400/700/800s DAMAGE: Vulnerabilities in HP Remote Watch exists allowing users to gain additional privileges. SOLUTION: Do not use Remote Watch. _______________________________________________________________________ I. Remote Watch Update A. Problem description A recent mailing list disclosure described two vulnerabilities in which HP Remote Watch allows unauthorized root access. The first was via a socket connection on port 5556. The second was as a result of using the showdisk utility, which is part of the Remote Watch product. It has been found that HP9000 Series 300, 400, 700, and 800 systems running only HP-UX Release 9.X have this vulnerability. B. Fixing the problem This vulnerability can only be eliminated from releases 9.X of HP-UX which are using Remote Watch by disabling the entire product. The default location for this product is /usr/remwatch/ . Removal can be accomplished (as root) with the following: NOTE: Do not run the standard rmfn command as HP has discovered problems with its inability to handle programs with active executables. Instead, run (with no options): /usr/remwatch/bin/removeall This runs a Remote Watch script called "unconfigure" to stop actively running programs, then proceeds to remove all files including the filesets. The administrator should also perform both of the following steps: 1. Remove or comment out the following entry in /etc/inetd.conf file: rwdaemon stream tcp nowait root /usr/remwatch/bin/rwdaemon rwdaemon 2. Have inetd re-read its configuration file by executing at the prompt: inetd -c This is the official recommendation from Hewlett-Packard Company. C. Current product status Remote Watch was last released from the labs in August of 1993. In December 1994 customers were informed of pending product obsolescence. Hewlett-Packard recommends that all customers concerned with the security of their HP-UX systems with Remote Watch configured on it perform the actions described herein as soon as possible. Again, no patches will be available for any versions of HP-UX. Since the functionality of HP Remote Watch software has now been replicated in other tools that handle system management more effectively there is no longer a sufficient need for HP Remote Watch. Most of the functionality is now provided by the Systems Administration Manager (SAM) tool, available at no charge as part of the HP-UX operating system, or by the HP OpenView OperationsCenter application. If further assistance is desired please contact your HP Support Representative. D. HP SupportLine To subscribe to automatically receive future NEW HP Security Bulletins from the HP SupportLine mail service via electronic mail, send an email message to: support@us.external.hp.com (no Subject is required) Multiple instructions are allowed in the TEXT PORTION OF THE MESSAGE, here are some basic instructions you may want to use: To add your name to the subscription list for new security bulletins, send the following in the TEXT PORTION OF THE MESSAGE: subscribe security_info To retrieve the index of all HP Security Bulletins issued to date, send the following in the TEXT PORTION OF THE MESSAGE: send security_info_list To get a patch matrix of current HP-UX and BLS security patches referenced by either Security Bulletin or Platform/OS, put the following in the text portion of your message: send hp-ux_patch_matrix World Wide Web service for browsing of bulletins is available via our URL: http://us.external.hp.com Choose "Support news", then under Support news, choose "Security Bulletins" E. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. ====================End of HP Security Advisory==================== ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 510-422-8193 FAX: +1 510-423-8002 STU-III: +1 510-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (128.115.19.53) Modem access: +1 (510) 423-4753 (28.8K baud) +1 (510) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName FirstName and PhoneNumber when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) G-41: Vulnerability in BASH Program G-42: Vulnerability in WorkMan Program G-43: Vulnerabilities in Sendmail G-44: SCO Unix Vulnerability G-45: Vulnerability in HP VUE G-46: Vulnerabilities in Transarc DCE and DFS G-47: Unix FLEXlm Vulnerabilities G-48: TCP SYN Flooding and IP Spoofing Attacks H-01: Vulnerabilities in bash H-02: SUN's TCP SYN Flooding Solutions RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC) Notes 07 - 3/29/95 A comprehensive review of SATAN Notes 08 - 4/4/95 A Courtney update Notes 09 - 4/24/95 More on the "Good Times" virus urban legend Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability in S/Key, EBOLA Virus Hoax, and Caibua Virus Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators, America On-Line Virus Scare, SPI 3.2.2 Released, The Die_Hard Virus Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X Windows, beta release of Merlin, Microsoft Word Macro Viruses, Allegations of Inappropriate Data Collection in Win95 Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST Conference Announcement, Security and Web Search Engines, Microsoft Word Macro Virus Update -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAgUBMn4nFrnzJzdsy3QZAQGZCAP8DL2AmOi/Pef1Tf5t3sgQwq1izDmspF79 fDpHLChnQsn3AGp7eGA83/ma7EdgiemxGxE5/PtexsB2eY6xglbIbbRJ+dI0h8bf GPAJDsWVpyPb2K7DI8JAhmeNR7yVWBls/2LXRNRy7hn86QhdlPwnfloZrw8n8PJO qhGQLRFHtw4= =DkbS -----END PGP SIGNATURE-----