[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : HP-UX newgrp Buffer Overrun Vulnerability

Title: HP-UX newgrp Buffer Overrun Vulnerability
Released by: CERT
Date: 7th January 1997
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





=============================================================================

CERT* Advisory CA-97.02

Original issue date: January 7, 1997

Last Revised: September 26, 1997

              Updated copyright statement



              A complete revision history is at the end of this file.





Topic: HP-UX newgrp Buffer Overrun Vulnerability

- -----------------------------------------------------------------------------



   The text of this advisory was originally released on December 3, 1996, as

   AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability, developed by

   AUSCERT. Because of the seriousness of the problem, we are reprinting the

   AUSCERT advisory here with their permission. Only the contact information

   at the end has changed: AUSCERT contact information has been replaced with

   CERT/CC contact information.



   We will update this advisory as we receive additional information.

   Look for it in an "Updates" section at the end of the advisory.



===========================================================================



AUSCERT has received information that a vulnerability exists in the

newgrp(1) program under HP-UX 9.x and 10.x.



This vulnerability may allow local users to gain root privileges.



Exploit information involving this vulnerability has been made publicly

available.



Currently there are no vendor patches available that address this

vulnerability.  AUSCERT recommends that sites take the steps outlined in

section 3 as soon as possible.



This advisory will be updated as more information becomes available.

- ----------------------------------------------------------------------------



1.  Description



    AUSCERT has received information that a vulnerability exists in the

    HP-UX newgrp(1) program.  The newgrp command is used to change a users

    group identification, and is installed by default.



    Due to insufficient bounds checking on arguments which are supplied

    by users, it is possible to overwrite the internal stack space of the

    newgrp program while it is executing.  By supplying a carefully

    designed argument to the newgrp program, intruders may be able to

    force newgrp to execute arbitrary commands.  As newgrp is setuid

    root, this may allow intruders to run arbitrary commands with root

    privileges.



    This vulnerability is known to affect both HP-UX 9.x and 10.x.



    By default, newgrp is located in /bin under HP-UX 9.x and in

    /usr/bin under HP-UX 10.x.



    Exploit information involving this vulnerability has been made

    publicly available.



2.  Impact



    Local users may gain root privileges.



3.  Workarounds/Solution



    AUSCERT recommends that sites limit the possible exploitation of this

    vulnerability by immediately removing the setuid permissions as stated

    in Section 3.1.  If the newgrp command is required, AUSCERT recommends

    the newgrp wrapper program given in Section 3.2 be installed.



    AUSCERT recommends that official vendor patches be installed when

    they are made available.  See the Updates section for information

    about availability of patches.



3.1 Remove setuid and non-root execute permissions



    To prevent the exploitation of the vulnerability described in the

    advisory, AUSCERT recommends that the setuid permissions be removed from

    the newgrp program immediately.  As the newgrp program will no

    longer work for non-root users, it is recommended that the execute

    permissions also be removed.  Before doing so, the original permissions

    for newgrp should be noted as they will be needed if sites choose to

    install the newgrp wrapper program (Section 3.2).



    For HP-UX 9.x:



        # ls -l /bin/newgrp

        -r-sr-xr-x   1 root     sys        16384 Dec  2 13:45 /bin/newgrp



        # chmod 500 /bin/newgrp

        # ls -l /bin/newgrp

        -r-x------   1 root     sys        16384 Dec  2 13:45 /bin/newgrp



    For HP-UX 10.x:



        # ls -l /usr/bin/newgrp

        -r-sr-xr-x   1 root     sys        12288 Dec  2 13:27 /usr/bin/newgrp



        # chmod 500 /usr/bin/newgrp

        # ls -l /usr/bin/newgrp

        -r-x------   1 root     sys        12288 Dec  2 13:27 /usr/bin/newgrp



    Note that this will remove the ability for any non-root user to run the

    newgrp program.



3.2 Install newgrp wrapper



    AUSCERT has developed a wrapper to help prevent programs from being

    exploited using the vulnerability described in this advisory.  This

    wrapper, including installation instructions, can be found at:



        http://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper.c



    This replaces the newgrp program with a wrapper which checks the

    length of the command line arguments passed to it.  If an argument

    exceeds a certain predefined value (MAXARGLEN), the wrapper exits

    without executing the newgrp command.  The wrapper program can also

    be configured to syslog any failed attempts to execute newgrp with

    arguments exceeding MAXARGLEN.  For further instructions on using

    this wrapper, please read the comments at the top of overflow_wrapper.c.



    When compiling overflow_wrapper.c for use with HP-UX newgrp, AUSCERT

    recommends defining MAXARGLEN to be 16.



    The MD5 checksum for Version 1.0 of overflow_wrapper.c is:



        MD5 (overflow_wrapper.c) = f7f83af7f3f0ec1188ed26cf9280f6db



    AUSCERT recommends that until vendor patches can be installed, sites

    requiring the newgrp functionality apply this workaround.



- ----------------------------------------------------------------------------

AUSCERT thanks Hewlett-Packard for their continued assistance and technical

expertise essential for the production of this advisory.  AUSCERT also

thanks Information Technology Services of the University of Southern

Queensland for their assistance.

- ----------------------------------------------------------------------------



If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident

Response and Security Teams (FIRST).



We strongly urge you to encrypt any sensitive information you send by email.

The CERT Coordination Center can support a shared DES key and PGP. Contact

the CERT staff for more information.



Location of CERT PGP key

         http://info.cert.org/pub/CERT_PGP.key



CERT Contact Information

- ------------------------

Email    cert@cert.org



Phone    +1 412-268-7090 (24-hour hotline)

                CERT personnel answer 8:30-5:00 p.m. EST

                (GMT-5)/EDT(GMT-4), and are on call for

                emergencies during other hours.



Fax      +1 412-268-6989



Postal address

        CERT Coordination Center

        Software Engineering Institute

        Carnegie Mellon University

        Pittsburgh PA 15213-3890

        USA



CERT publications, information about FIRST representatives, and other

security-related information are available for anonymous FTP from

        http://www.cert.org/

        http://info.cert.org/pub/



CERT advisories and bulletins are also posted on the USENET newsgroup

        comp.security.announce



To be added to our mailing list for CERT advisories and bulletins, send your

email address to

        cert-advisory-request@cert.org





* Registered U.S. Patent and Trademark Office.



This file: http://info.cert.org/pub/cert_advisories/CA-97.02.hp_newgrp

           http://www.cert.org

               click on "CERT Advisories"



=============================================================================

UPDATES



April 4, 1997

- -------------

The CERT/CC has received reports that the vulnerability described in this

advisory is being exploited.



January 14, 1997

- ----------------

All HP patches are now available, see HEWLETT-PACKARD SECURITY BULLETIN:

#00048, issued on 09 January 1997:



          PHCO_9603  for all platforms with HP-UX releases 9.X

          PHCO_9604  for all platforms with HP-UX releases 10.00/10.01

          PHCO_9605  for all platforms with HP-UX releases 10.10/10.20



   Fixing the problem



      The vulnerability can be eliminated from HP-UX releases 9.X and

      10.X by applying the appropriate patch.



   Recommended solution



      1.  Determine which patch are appropriate for your operating

          system.



      2.  Hewlett-Packard's HP-UX patches are available via email

          and the World Wide Web



          To obtain a copy of the Hewlett-Packard SupportLine email

          service user's guide, send the following in the TEXT PORTION

          OF THE MESSAGE to support@us.external.hp.com (no Subject

          is required):



                               send guide



          The users guide explains the HP-UX patch downloading process

          via email and other services available.



          World Wide Web service for downloading of patches

          is available via our URL:

                  (http://us.external.hp.com)



      3.  Apply the patch to your HP-UX system.



      4.  Examine /tmp/update.log (9.X), or /var/adm/sw/swinstall.log

          (10.X), for any relevant WARNING's or ERROR's.



- ------------------------------------------------------------------------------



Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Revision history



Sep. 26, 1997  Updates - added copyright statement

Apr. 04, 1997  Updates - added note that the vulnerability is being exploited.

Jan. 14, 1997  Updates - added patch information.



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBS+jFr9kb5qlZHQEQJyxACfVG3+eQKuCTgAFU7yWJQNrvOV5ekAoPiR

+3bp/v8f7ugSojqp9K7DZzxZ

=O/Pm

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.