lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030609180922.GA16931@grok.org.uk>
From: johnc at grok.org.uk (John Cartwright)
Subject: [contact@...-pl.net: [LSD] HP-UX security vulnerabilities]

----- Forwarded message from Last Stage of Delirium <contact@...-pl.net> -----

Hello,

In this letter you will find the result of a brief security audit that we
did some time ago for HP-UX platform. We have found 8 vulnerabilities (seven
local and a remote one). Technical details about all of the vulnerabilities
were sent to the HP security team few months ago and in all cases appropriate
security patches are available.

For each vulnerability we have written a proof of concept code. Some of them
are available for download right now, the remaining ones will be published in
the near future (they are also available in special cases upon well justified
requests).

All proof of concept codes have been written for HP-UX 10.20 platform.

1. /usr/sbin/lanadmin
   /usr/sbin/landiag

   The vulnerability in the lanadmin and landiag programs is caused by improper
   handling of the TERM environment variable in the setupterm() function - it
   copies this variable without any size checking into the stack buffer with
   the use of strcpy function. This bug can be triggered by invoking lanadmin
   or landiag program with TERM environment variable set to a long string value.
   When appropriately exploited it can lead to a local root compromise of
   a vulnerable system.

2. /opt/sharedprint/bin/pcltotiff

   There exists a buffer overflow vulnerability in the command line parsing
   code portion of the pcltotiff program. This bug can be triggered by invoking
   pcltotiff program with a long string argument passed with the -t command line
   option. During program execution, this argument is further insecurely copied
   into the stack buffer with the use of strcpy() function and without any size
   checking. When appropriately exploited this bug can lead to privilege
   elevation attack as group id of bin can be gained on a vulnerable system.

3. rpc.yppasswdd

   The rpc.yppasswdd service is typically instaled with NIS (Network Information
   Service) subsystem. The purpose of this service is to handle password change
   requests from yppasswd program. In the HP-UX operating system, the
   rpc.yppasswdd is installed as RPC service number 100009.

   We have found that there exists the same security vulnerability in HP-UX
   rpc.yppasswdd like in Solaris operating system (Bulletin Number #00209).
   This vulnerability can be remotely exploited to gain unauthorised access to
   the target HP-UX system with administrative (root user) privileges.

   The vulnerability can be triggered by sending carefully crafted string
   argument to the YPPASSWDPROC_UPDATE function. This function has two
   arguments: a character string and a passwd struct (in our proof of concept
   ode we only send a string instead of the whole structure), which stand for
   respectively the oldpass and passwd struct (in our case pw_name string).
   In the changepasswd() function the pw_name field of the passwd structure
   is copied to a fixed buffer with the use of strcpy() function call. As this
   call is done without any checking of the string length and boundaries,
   program stack can be overwritten in a result of a buffer overflow condition.
   Below you can see a detailed trace log from our bptrace tool, which clearly
   illustrates the rpc.yppasswdd execution path that leads to the overflow
   condition.

   [21110] 0x00012a98    1  changepasswd()
   [21110] 0x00025480    1  memset(0xffbefa30,0,40)
   [21110] 0x00014448    1  xdr_yppasswd()
   [21110] 0x00025738    1  xdr_wrapstring()
   [21110] 0x00014374    1  xdr_passwd()
   [21110] 0x00025744    1  xdr_uid_t()
   [21110] 0x00025750    1  xdr_gid_t()
   [21110] 0x000126b4    1  validstr()
   [21110] 0x0002545c    1  strlen("")
   [21110] 0x000255b8    1  strchr("",':')
   [21110] 0x000126b4    2  validstr()
   [21110] 0x000126b4    3  validstr()
   [21110] 0x00025474    1  strcmp("udp","ticlts")
   ....
   [21110] 0x00025438    1  strcpy(0xffbef9d8,"overlfow string with shellcode")

4. /usr/lib/X11/Xserver/ucode/screens/hp/rs.F3000

   This vulnerability results from bad coding practices, specifically the
   way system() function call is used throughout the code of rs.F30002 program.
   This function call is used by rs.F30002 for invoking external programs
   (like rm) without specifying their absolute path. If PATH environment
   variable is appropriately set prior to such an unsafe system() call
   invocation, user programs can be executed at elevated privileges
   (user=daemon).

5. /usr/bin/stmkfont

   Simple buffer overflow vulnerability exists in the command line parsing
   code portion of the stmkfont program. This bug can be triggered by invoking
   stmkfont program with a long string argument. When appropriately exploited
   it can lead to privilege elevation attack as group id of bin can be gained
   on a vulnerable system.

6. /usr/bin/uucp

   The buffer overflow vulnerability exists in the command line parsing code
   portion of the uucp program. This bug can be triggered by invoking uucp
   program with a long string argument as option. When appropriately exploited
   it can lead to the privilege elevation attack as user id of uucp can be
   gained on a vulnerable system.

7. /usr/bin/uusub

   The buffer overflow vulnerability exists in the command line parsing code
   portion of the uusub program. This bug can be triggered by invoking uusub
   program with a long string argument passed with -a command line option.
   When appropriately exploited it can lead to the privilege elevation attack
   as user id of uucp can can be gained on a vulnerable system.


Best Regards,
Members of LSD Research Group
http://lsd-pl.net



----- End forwarded message -----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ