[17649] in bugtraq
Re: HPUX security bulletins digest
daemon@ATHENA.MIT.EDU (Hobbs, Eric (Sbcsi))
Tue Nov 14 11:13:32 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <9B9C366BF871D4119CF900508B694043A3C5@msi-marquee2.corp.sbc.com>
Date: Tue, 14 Nov 2000 08:36:29 -0600
Reply-To: "Hobbs, Eric (Sbcsi)" <EHobbs@CORP.SBC.COM>
From: "Hobbs, Eric (Sbcsi)" <EHobbs@CORP.SBC.COM>
X-To: "Boyce, Nick" <nick.boyce@EDS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi.
I'm not so sure about the remote compromise, but the /sbin/auto_parms
script, which I believe is fixed by this patch, contains at least two
instances where it sources files in the /tmp directory without checking for
their existence first.
I'm pulling this out of my memory because I notified HP of some of these
problems about four months ago, so my details might be prone to fuzzy math.
I don't have my original document with me at the moment.
One instance is more of a guessing game. When booting, the /etc/rc script
calls the /etc/auto_parms script to work out some DHCP details. During this
process, I believe it pulls some environment vars out of
/etc/rc.config.d/netconf and creates a file in /tmp called $$.sh
Since this script is called at boot time, a nasty local user can guess a
range of PIDs that could be used and can create a series of soft links or
named pipes in /tmp that could either blow away a file in the first case, or
completely freeze the boot process in the second case. DoS.
The second problem that I found was more serious. In the auto_parms script,
there is a chunk of code that apparently is only supposed to be used when
booting during an installation. It checks for the existence of a file
called /tmp/install.vars. If it is there, it sources it on boot up. Use
your imagination. The bad user can drop a file in there that will give them
a rootshell when the system is rebooted. Very bad. I tried it. It worked.
While I'm sure the HP patch resolves it, I found that because I don't use
DHCP, I just renamed the /sbin/auto_parms script. /sbin/rc complains a
little bit on boot, but otherwise, it didn't affect my machines.
Also: MAKE SURE THE STICKY BIT IS SET ON /TMP!!! Even the TCB HP-UX
doesn't do this. It seems like a major oversight.
So yes, it is a problem, but I'm not a black-hat h4Ck3R/cR4cK3R type so I
don't know if the problems can be leveraged to open a remote compromise.
Sorry for the vagueness,
--Eric
-----Original Message-----
From: Boyce, Nick [mailto:nick.boyce@EDS.COM]
Sent: Monday, November 13, 2000 3:38 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: HPUX security bulletins digest
I'm confused <g> ... the HP alert indicates that problem "HPSBUX0011-130"
is both a "DoS at boot-time" problem, and a remote root compromise - [see
"DAMAGE" and "Background" below].
So which is it ? Maybe it's both, but if it's just boot-time DoS I can
live with that for a spell.
The man page says :
auto_parms is a system initialization script whose primary
responsibility lies in handling first time boot configuration and
ongoing management of the DHCP lease(s).
The script is 1700 lines long, so I don't want to have to try to analyse it
myself. Since it deals with DHCP address requesting, I suppose it may be
vulnerable to something like the recent ISC DHCP client vulnerability (if
there exists a malicious DHCP server somewhere), but HP don't give any
clues.
Does anyone understand this better than me ?
[It matters a bit to me - many systems to fix - as to quite how much panic I
allow myself ...]
I'd log a call with HP to ask, but I've not had a useful result from that
course in the past.
Thanks,
Nick
EDS Healthcare, Bristol, UK
-----Original Message-----
From: Oonk, Patrick [mailto:patrick@PINE.NL]
Sent: 13 November 2000 13:22
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: security bulletins digest
HP Support Information Digests
[snip]
Document ID Title
--------------- -----------
HPSBUX0011-130 Sec. Vulnerability in auto_parms
[snip]
DAMAGE: May allow remote users to gain root access or to disrupt
normal operations.
[snip]
A. Background
Hewlett-Packard Company has been informed of a defect in the
/sbin/auto_parms script. There is potential for a Denial of
Service (DoS) at boot time.
[end-of-alert-and-snippage]
