Hello,
In this letter you will find the result of a brief security audit that we
did some time ago for HP-UX platform. We have found 8 vulnerabilities (seven
local and a remote one). Technical details about all of the vulnerabilities
were sent to the HP security team few months ago and in all cases appropriate
security patches are available.
For each vulnerability we have written a proof of concept code. Some of them
are available for download right now, the remaining ones will be published in
the near future (they are also available in special cases upon well justified
requests).
All proof of concept codes have been written for HP-UX 10.20 platform.
1. /usr/sbin/lanadmin
/usr/sbin/landiag
The vulnerability in the lanadmin and landiag programs is caused by improper
handling of the TERM environment variable in the setupterm() function - it
copies this variable without any size checking into the stack buffer with
the use of strcpy function. This bug can be triggered by invoking lanadmin
or landiag program with TERM environment variable set to a long string value.
When appropriately exploited it can lead to a local root compromise of
a vulnerable system.
2. /opt/sharedprint/bin/pcltotiff
There exists a buffer overflow vulnerability in the command line parsing
code portion of the pcltotiff program. This bug can be triggered by invoking
pcltotiff program with a long string argument passed with the -t command line
option. During program execution, this argument is further insecurely copied
into the stack buffer with the use of strcpy() function and without any size
checking. When appropriately exploited this bug can lead to privilege
elevation attack as group id of bin can be gained on a vulnerable system.
3. rpc.yppasswdd
The rpc.yppasswdd service is typically instaled with NIS (Network Information
Service) subsystem. The purpose of this service is to handle password change
requests from yppasswd program. In the HP-UX operating system, the
rpc.yppasswdd is installed as RPC service number 100009.
We have found that there exists the same security vulnerability in HP-UX
rpc.yppasswdd like in Solaris operating system (Bulletin Number #00209).
This vulnerability can be remotely exploited to gain unauthorised access to
the target HP-UX system with administrative (root user) privileges.
The vulnerability can be triggered by sending carefully crafted string
argument to the YPPASSWDPROC_UPDATE function. This function has two
arguments: a character string and a passwd struct (in our proof of concept
ode we only send a string instead of the whole structure), which stand for
respectively the oldpass and passwd struct (in our case pw_name string).
In the changepasswd() function the pw_name field of the passwd structure
is copied to a fixed buffer with the use of strcpy() function call. As this
call is done without any checking of the string length and boundaries,
program stack can be overwritten in a result of a buffer overflow condition.
Below you can see a detailed trace log from our bptrace tool, which clearly
illustrates the rpc.yppasswdd execution path that leads to the overflow
condition.
[21110] 0x00012a98 1 changepasswd()
[21110] 0x00025480 1 memset(0xffbefa30,0,40)
[21110] 0x00014448 1 xdr_yppasswd()
[21110] 0x00025738 1 xdr_wrapstring()
[21110] 0x00014374 1 xdr_passwd()
[21110] 0x00025744 1 xdr_uid_t()
[21110] 0x00025750 1 xdr_gid_t()
[21110] 0x000126b4 1 validstr()
[21110] 0x0002545c 1 strlen("")
[21110] 0x000255b8 1 strchr("",':')
[21110] 0x000126b4 2 validstr()
[21110] 0x000126b4 3 validstr()
[21110] 0x00025474 1 strcmp("udp","ticlts")
....
[21110] 0x00025438 1 strcpy(0xffbef9d8,"overlfow string with shellcode")
4. /usr/lib/X11/Xserver/ucode/screens/hp/rs.F3000
This vulnerability results from bad coding practices, specifically the
way system() function call is used throughout the code of rs.F30002 program.
This function call is used by rs.F30002 for invoking external programs
(like rm) without specifying their absolute path. If PATH environment
variable is appropriately set prior to such an unsafe system() call
invocation, user programs can be executed at elevated privileges
(user=daemon).
5. /usr/bin/stmkfont
Simple buffer overflow vulnerability exists in the command line parsing
code portion of the stmkfont program. This bug can be triggered by invoking
stmkfont program with a long string argument. When appropriately exploited
it can lead to privilege elevation attack as group id of bin can be gained
on a vulnerable system.
6. /usr/bin/uucp
The buffer overflow vulnerability exists in the command line parsing code
portion of the uucp program. This bug can be triggered by invoking uucp
program with a long string argument as option. When appropriately exploited
it can lead to the privilege elevation attack as user id of uucp can be
gained on a vulnerable system.
7. /usr/bin/uusub
The buffer overflow vulnerability exists in the command line parsing code
portion of the uusub program. This bug can be triggered by invoking uusub
program with a long string argument passed with -a command line option.
When appropriately exploited it can lead to the privilege elevation attack
as user id of uucp can can be gained on a vulnerable system.
Best Regards,
Members of LSD Research Group
http://lsd-pl.net