Re: HP-UX 11.0/800 patches leave suid binaries

ollevattenfall.se

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Chris Brenton: "Re: ISS Internet Scanner Cannot be relied upon for conclusive"
• Previous message: Nick Maclaren: "Re: Buffer overflow and OS/390"
• In reply to: Lamont Granquist: "HP-UX 11.0/800 patches leave suid binaries"

On Fri, 5 Feb 1999, Lamont Granquist wrote:

> The following file is left suid root after a patch installation in HP-UX
> 11.0:
>
> -r-s--x--x   1 root       bin          20480 Nov  7  1997
> /var/adm/sw/save/PHCO_13214/CMDS-AUX/usr/bin/newgrp
>
> % uname -a
> HP-UX xxxx B.11.00 A 9000/898 1687633341 two-user license
>
> Fortunately, the /var/adm/sw/save directory is only readable by root. I do
> not know if the newgrp binary is vulnerable, or if the PHCO_13214 patch is
> a security patch.  I still feel this is poor practice by HP.  HP-UX admins
> should scan their systems for other suid binaries which have been left
> lying around by other patches:

As far as I recall this has allways been the case with HP Patch saves.

#
#uname -r
B.10.20
#
#pwd
/var/adm/sw/patch
#
#ll -d .
dr-x------  281 root       sys           6144 Feb  4 19:17 .
#
#ll ./PHCO_12097/usr/bin/newgrp
-r-sr-xr-x   1 root       bin          16384 Jun 10  1996 ./PHCO_12097/usr/bin/newgrp
#

But as you can see /var/adm/sw/patch is +r+x root & no other permissions.

Not good practice, but no immediate security threat either.


/olle

--
Above views are my own unless explicitly stated otherwise.
God is real, until declared integer.

• Next message: Chris Brenton: "Re: ISS Internet Scanner Cannot be relied upon for conclusive"
• Previous message: Nick Maclaren: "Re: Buffer overflow and OS/390"
• In reply to: Lamont Granquist: "HP-UX 11.0/800 patches leave suid binaries"