Bugtraq mailing list archives
Re: HPUX security bulletins digest
From: "Hobbs, Eric (Sbcsi)" <EHobbs () CORP SBC COM>
Date: Tue, 14 Nov 2000 08:36:29 -0600
Hi. I'm not so sure about the remote compromise, but the /sbin/auto_parms script, which I believe is fixed by this patch, contains at least two instances where it sources files in the /tmp directory without checking for their existence first. I'm pulling this out of my memory because I notified HP of some of these problems about four months ago, so my details might be prone to fuzzy math. I don't have my original document with me at the moment. One instance is more of a guessing game. When booting, the /etc/rc script calls the /etc/auto_parms script to work out some DHCP details. During this process, I believe it pulls some environment vars out of /etc/rc.config.d/netconf and creates a file in /tmp called $$.sh Since this script is called at boot time, a nasty local user can guess a range of PIDs that could be used and can create a series of soft links or named pipes in /tmp that could either blow away a file in the first case, or completely freeze the boot process in the second case. DoS. The second problem that I found was more serious. In the auto_parms script, there is a chunk of code that apparently is only supposed to be used when booting during an installation. It checks for the existence of a file called /tmp/install.vars. If it is there, it sources it on boot up. Use your imagination. The bad user can drop a file in there that will give them a rootshell when the system is rebooted. Very bad. I tried it. It worked. While I'm sure the HP patch resolves it, I found that because I don't use DHCP, I just renamed the /sbin/auto_parms script. /sbin/rc complains a little bit on boot, but otherwise, it didn't affect my machines. Also: MAKE SURE THE STICKY BIT IS SET ON /TMP!!! Even the TCB HP-UX doesn't do this. It seems like a major oversight. So yes, it is a problem, but I'm not a black-hat h4Ck3R/cR4cK3R type so I don't know if the problems can be leveraged to open a remote compromise. Sorry for the vagueness, --Eric -----Original Message----- From: Boyce, Nick [mailto:nick.boyce () EDS COM] Sent: Monday, November 13, 2000 3:38 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: HPUX security bulletins digest I'm confused <g> ... the HP alert indicates that problem "HPSBUX0011-130" is both a "DoS at boot-time" problem, and a remote root compromise - [see "DAMAGE" and "Background" below]. So which is it ? Maybe it's both, but if it's just boot-time DoS I can live with that for a spell. The man page says : auto_parms is a system initialization script whose primary responsibility lies in handling first time boot configuration and ongoing management of the DHCP lease(s). The script is 1700 lines long, so I don't want to have to try to analyse it myself. Since it deals with DHCP address requesting, I suppose it may be vulnerable to something like the recent ISC DHCP client vulnerability (if there exists a malicious DHCP server somewhere), but HP don't give any clues. Does anyone understand this better than me ? [It matters a bit to me - many systems to fix - as to quite how much panic I allow myself ...] I'd log a call with HP to ask, but I've not had a useful result from that course in the past. Thanks, Nick EDS Healthcare, Bristol, UK -----Original Message----- From: Oonk, Patrick [mailto:patrick () PINE NL] Sent: 13 November 2000 13:22 To: BUGTRAQ () SECURITYFOCUS COM Subject: security bulletins digest HP Support Information Digests [snip] Document ID Title --------------- ----------- HPSBUX0011-130 Sec. Vulnerability in auto_parms [snip] DAMAGE: May allow remote users to gain root access or to disrupt normal operations. [snip] A. Background Hewlett-Packard Company has been informed of a defect in the /sbin/auto_parms script. There is potential for a Denial of Service (DoS) at boot time. [end-of-alert-and-snippage]
Current thread:
- Re: HPUX security bulletins digest Boyce, Nick (Nov 14)
- <Possible follow-ups>
- Re: HPUX security bulletins digest Hobbs, Eric (Sbcsi) (Nov 15)