MCI Telecommunications internetMCI Security Group Report Name: iMCI MIIGS Security Alert Report Number: iMCISE:IMCIAUSCERT:120296:01:P1R1 Report Date: 12/03/96 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) ---------------------------------------------------------------------------- --- =========================================================================== AA-96.13 AUSCERT Advisory HP-UX passwd buffer overrun vulnerability 28 November 1996 Last Revised: -- - --------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in the passwd(1) program under HP-UX 9.x and HP-UX 10.x. This vulnerability may allow local users to gain root privileges. Exploit information involving this vulnerability has been made publicly available. Currently there are no vendor patches available that address this vulnerability. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. - --------------------------------------------------------------------------- 1. Description AUSCERT has received information that a vulnerability exists in the HP-UX passwd(1) program. This vulnerability is known to affect HP-UX 9.x and 10.x. Due to insufficient bounds checking on arguments which are supplied by users, it is possible to overwrite the internal stack space of the passwd(1) program while it is executing. By supplying a carefully designed argument to the passwd(1) program, intruders may be able to force passwd(1) to execute arbitrary commands. As passwd(1) is setuid root, it may allow intruders to run arbitrary commands with root privileges. Exploit information involving this vulnerability has been made publicly available. 2. Impact Local users may gain root privileges. 3. Workarounds/Solution AUSCERT recommends that sites limit the possible exploitation of this vulnerability by immediately applying the workaround given in Section 3.1. Currently there are no vendor patches available that address this vulnerability. AUSCERT recommends that official vendor patches be installed when they are made available. 3.1 Install passwd wrapper AUSCERT has developed a wrapper to help prevent passwd(1) being exploited using the vulnerability described in this advisory. This wrapper, including installation instructions, can be found in Appendix A. AUSCERT recommends that until vendor patches can be installed, sites apply this workaround. ........................................................................... Appendix A passwd(1) wrapper /* * passwd_wrapper.c -- wrap HP-UX passwd to prevent a argument buffer overrun * * This wrapper is part of AUSCERT Advisory AA-96.13. The latest * version of this advisory is available from: * * ftp://ftp.auscert.org.au/pub/auscert/advisory/ * AA-96.13.HP-UX.passwd.vul * * This program is designed to be an interim relief measure * until official vendor patches are made available. * * * Author: AUSCERT * Prentice Centre * Qld. 4072. * Australia. * * auscert@auscert.org.au * * DISCLAIMER: The use of this program is at your own risk. It is * designed to combat a particular vulnerability, and may * not combat other vulnerabilities, either past or future. * The decision to use this program is yours, as are the * consequences of its use. * * This program is designed to be an interim relief measure * until appropriate patches can be obtained from your vendor. * * * Installation instructions * ~~~~~~~~~~~~~~~~~~~~~~~~~ * * 1. su to root * * 2. Determine the location of passwd. * * Under HP-UX 9.x it is /bin/passwd, under HP-UX 10.x /usr/bin/passwd. * For example purposes, /usr/bin will be used in following instructions * for the location of passwd. * * 3. Determine the permissions, owner, and group of passwd. Note this * information as it will be used later. For example: * * # ls -l /usr/bin/passwd * * 4. Copy the real passwd program to passwd.real, and then change the * permissions on it. * * # cd /usr/bin * # cp passwd passwd.real * # chmod 711 passwd.real * * 5. Edit this wrapper program and define REAL_PASSWD. This should be * the location you copied passwd to in step #4. By default, * REAL_PASSWD is defined as "/usr/bin/passwd.real". This should be * an absolute pathname. * * 6. Compile this program in a directory other than /usr/bin. * For example, to use /usr/local/src, first copy this file into * /usr/local/src. * * # cd /usr/local/src * # cc -o passwd_wrapper passwd_wrapper.c * * If you wish error messages to be logged by syslog when * arguments that may exploit the buffer overrun vulnerability * are passed to passwd, add -DSYSLOG to the compile time options. * * # cc -DSYSLOG -o passwd_wrapper passwd_wrapper.c * * 7. Copy this new wrapper program into the directory originally * containing passwd. This will replace the existing passwd program. * * Make sure this directory and its parent directories are protected so * only root is able to make changes to files in the directory. * * Use the information found in step #3 and set the same * owner, group, permissions and privileges on the new passwd program. * * For example: * * # cp passwd_wrapper /usr/bin/passwd * # cd /usr/bin * # chown root passwd * # chmod 4555 passwd * * Check that the owner, group, permissions and privileges exactly * match those noted in step #3. * * # ls -l /usr/bin/passwd * * Users will not be able to use the passwd program during the time * when the wrapper is copied into place until the chmod command * has been executed. * * 8. Check that passwd still works! * */ static char Version[] = "passwd_wrapper V1.0 28-Nov-1996"; #include #include /* * Make sure REAL_PASSWD points to the location you copied passwd to in * step #4. */ #define REAL_PASSWD "/usr/bin/passwd.real" /* * This wrapper will exit without executing REAL_PASSWD when * given any arguments which exceed MAXARGLEN. */ #define MAXARGLEN 64 main(argc,argv,envp) int argc; char *argv[]; char *envp[]; { int i; for (i=0; i MAXARGLEN) { fprintf(stderr,"You have exceeded the argument length ...Exiting\n"); #ifdef SYSLOG syslog(LOG_ERR,"Possible passwd buffer overrun attack by uid %d\n",getuid()); #endif exit(1); } } execve(REAL_PASSWD,argv,envp); perror("execve passwd failed"); exit(1); } - --------------------------------------------------------------------------- AUSCERT thanks Hewlett-Packard for their continued assistance and technical expertise essential for the production of this advisory. AUSCERT also thanks Information Technology Services of the University of Southern Queensland for their assistance. - --------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA ===============================================================