[3388] in bugtraq
Re: Vunerability in HP sysdiag ?
daemon@ATHENA.MIT.EDU (Aggelos P. Varvitsiotis)
Wed Sep 25 12:57:56 1996
Date: Wed, 25 Sep 1996 12:22:47 +0300
Reply-To: "Aggelos P. Varvitsiotis" <avarvit@cc.ece.ntua.gr>
From: "Aggelos P. Varvitsiotis" <avarvit@cc.ece.ntua.gr>
X-To: jjacobi@pop500.gsfc.nasa.gov
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <3244E32A.6093@pop500.gsfc.nasa.gov> from "John W. Jacobi" at Sep
21, 96 11:56:42 pm
"John W. Jacobi" <jjacobi@nova.umuc.edu> wrote:
> Hi all,
>
> If this is out, I apologize.
>
> Subject: Vunerability in HP sysdiag ???
>
> Program and Systems that I did this on:
> The sysdiag program on
> HP 9000/700/HPUX9.05 (has PHSS_7587)
> HP 9000/800/HPUX9.04 (not sure of patch regarding diags)
>
> To Prevent:
> For now, turn off the set uid on the programs involved.
>
> This is how it worked for me, perhaps you too:
>
> Problem:
>
> Basically, the sysdiag stuff is set-uid root. You can exploit that
> feature to create and write stuff to arbitrary files on the system as
> root,
> while not being root. If the target file you want to create exists,
> this
> doesn't work. Perhaps there is a way around that, but that ain't the
> point.
> The point is that I used this to get root in 30 seconds on my HP's and
> that's
> not good. Heck, this is probably faster then asking for the root
> password !!!
[rest of message deleted]
I verified it for HP-UX 9.0X. Not only that, though. It is not sufficient
to chmod u-s /bin/sysdiag. This leaves behind a bunch of programs in
/usr/diag/bin which are still setuid to root and behave quite the same
(i.e., they don't check for symlinks while creating 0666 log or temp
files). A non-priviledged user can use any of these to create 0666
/.rhosts (or whatever else) files, with the known consequences.
Proposed solution:
root# chmod u-s /bin/sysdiag /usr/diag/bin/*
The question in jjacobi's other mail(s) remains: is there a single source
for this line of vulnerabilities? In which HP-UX releases?
A. Varvitsiotis
