OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1996: Re: Vunerability in HP sysdiag ?

Re: Vunerability in HP sysdiag ?

Aggelos P. Varvitsiotis (avarvitcc.ece.ntua.gr)
Wed, 25 Sep 1996 12:22:47 +0300 

"John W. Jacobi" <jjacobinova.umuc.edu> wrote:
> Hi all,
>
> If this is out, I apologize.
>
> Subject: Vunerability in HP sysdiag ???
>
> Program and Systems that I did this on:
>         The sysdiag program on
>            HP 9000/700/HPUX9.05 (has PHSS_7587)
>            HP 9000/800/HPUX9.04 (not sure of patch regarding diags)
>
> To Prevent:
>         For now, turn off the set uid on the programs involved.
>
> This is how it worked for me, perhaps you too:
>
> Problem:
>
>         Basically, the sysdiag stuff is set-uid root.  You can exploit that
> feature to create and write stuff to arbitrary files on the system as
> root,
> while not being root.  If the target file you want to create exists,
> this
> doesn't work.  Perhaps there is a way around that, but that ain't the
> point.
> The point is that I used this to get root in 30 seconds on my HP's and
> that's
> not good.  Heck, this is probably faster then asking for the root
> password !!!
[rest of message deleted]

I verified it for HP-UX 9.0X. Not only that, though. It is not sufficient
to chmod u-s /bin/sysdiag. This leaves behind a bunch of programs in
/usr/diag/bin which are still setuid to root and behave quite the same
(i.e., they don't check for symlinks while creating 0666 log or temp
files). A non-priviledged user can use any of these to create 0666
/.rhosts (or whatever else) files, with the known consequences.

Proposed solution:
root# chmod u-s /bin/sysdiag /usr/diag/bin/*

The question in jjacobi's other mail(s) remains: is there a single source
for this line of vulnerabilities? In which HP-UX releases?

A. Varvitsiotis