HPUX 10.20 rexecd DoS


From kksocha@ERENJ.COM Wed Dec 10 14:53:33 1997
From: "Kevin K. Sochacki" 
To: BUGTRAQ@NETSPACE.ORG
Date: Fri, 5 Dec 1997 17:28:18 -0500
Reply-To: kks@superlink.net
Subject: HPUX rexecd bug on trusted system

I have discovered a bug in rexecd on system running HPUX 10.20 that have
been converted to trusted systems.

Problem:
On unsuccessful login attempts via rexec/rexecd the bad login counter
(u_numunsuclog) is updated as it should, however on any successful login
the bad login counter does not get cleared.  So if users inadvertently
miss type their password even once between successful logins they will
eventually be locked out.  Lockouts should only occur when consecutive
unsuccessful logins exceed the allowed bad logins.

Note:
For those of you how have converted to a trusted system and have not
applied patch PHNE_12161 you are vulnerable to a brut force attack of
guessing password via rexec. Patch PHNE_12161 fix a problem of not
updating the bad login counter (u_numunsuclog) circumvent the lockout
feature of unsuccessful user logins.

This problem has been report to HP and is currently being addressed.

=-=

From secure@HPCUGSYA.CUP.HP.COM Wed Dec 10 14:53:39 1997
From: Security Alert 
To: BUGTRAQ@NETSPACE.ORG
Date: Fri, 5 Dec 1997 17:12:40 PST
Subject: Re: HPUX rexecd bug on trusted system

"Kevin K. Sochacki"  wrote:
>
> I have discovered a bug in rexecd on system running HPUX 10.20 that have
> been converted to trusted systems.

>This problem has been report to HP and is currently being addressed.
                                        ^^^^^^^^^^^^
to which we respectfully add:

This problem _has_ been fully addressed in patch PHNE_12161.  It was posted
to our patch hub on 19 August, and targets all HP9000 S700/800 10.X trusted
systems.

HP S/W Security Team

=-=

From kksocha@ERENJ.COM Wed Dec 10 14:55:26 1997
From: "Kevin K. Sochacki" 
To: BUGTRAQ@NETSPACE.ORG
Date: Mon, 8 Dec 1997 11:43:28 -0500
Reply-To: kks@superlink.net
Subject: Re: HPUX rexecd bug on trusted system

Security Alert wrote:
>
> "Kevin K. Sochacki"  wrote:
> >
> > I have discovered a bug in rexecd on system running HPUX 10.20 that have
> > been converted to trusted systems.
> 
> >This problem has been report to HP and is currently being addressed.
>                                         ^^^^^^^^^^^^
> to which we respectfully add:
>
> This problem _has_ been fully addressed in patch PHNE_12161.  It was posted
> to our patch hub on 19 August, and targets all HP9000 S700/800 10.X trusted
> systems.
>
> HP S/W Security Team
> --

The problem addressed in patch PHNE_12161 as implied in the description,
only fixed a problem of not updating the bad login counter. This _does_
fix the vulnerability issue, however on successful log ins the bad login
counter _does_not_ get cleared, therefor locking the users out no matter
how many times they login successfully between unsuccessful attempts.

So to your reply I respectfully add:

This problem _has_NOT_ been fully addressed in patch PHNE_12161.  It
only addressed the most severe part of the problem, leaving an
administrative headache. If you consider the administrator who's work
load can't handle the added stress of constantly reactivating a number
users, he may opt to disable this feature once again leaving the system
vulnerable.

I have patch PHNE_12161 applied and I'm constantly reactivating user
accounts do to this problem. I have confirmed the problem it is
reproducible and is a major headache. This is still a very big problem!