[UNIX] HP-UX libc NLSPATH Environment Variable Privilege Elevation Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 11/16/03
- Previous message: SecuriTeam: "[UNIX] Auto Directory Index Cross-Site Scripting Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 16 Nov 2003 18:07:27 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
HP-UX libc NLSPATH Environment Variable Privilege Elevation Vulnerability
------------------------------------------------------------------------
SUMMARY
NSFOCUS Security Team has found that the libc in HP-UX does not restrict
the NLSPATH variable used by suid root program. This allows a local
attacker to cause a format string vulnerability.
DETAILS
Vulnerable systems:
* HP-UX B.11.00
* HP-UX B.11.11
Many programs in HP-UX use catopen()/catgets() (and other functions) found
in libc to display localized information. When catopen() detects the
environment variable NLSPATH, it will open the specified file and read
messages from it.
However, catopen() doesn't restrict the suid root program's use of
NLSPATH. This allows local attackers to set NLSPATH variable to an
arbitrary file (controlled by the attacker). When the suid root program
uses catopen() to open the message file and pass the data from it to
*printf(), a format string vulnerability might occur.
Any suid root program that uses catopen()/catgets() is at risk. By
exploiting the vulnerability local attackers can gain root privileges.
According to NSFOCUS's tests, at least the following programs are
vulnerable:
- -r-sr-xr-x 1 root bin 45056 Nov 14 2000 /usr/bin/at
- -r-sr-xr-x 1 root bin 24576 Nov 14 2000
/usr/bin/crontab
- -r-sr-xr-x 1 root bin 45056 Nov 14 2000 /usr/bin/ct
- -r-sr-xr-x 1 root bin 36864 Apr 19 2001 /usr/bin/cu
- -r-sr-xr-x 1 root bin 20480 Nov 14 2000
/usr/lbin/exrecover
- -r-sr-xr-x 1 root bin 40960 Aug 16 2001 /usr/bin/lp
- -r-sr-sr-x 2 root mail 45056 Nov 14 2000 /usr/bin/mail
- -r-sr-xr-x 5 root bin 45056 Nov 14 2000
/usr/bin/passwd
- -r-sr-xr-x 1 root bin 24576 Nov 14 2000 /usr/bin/su
- -r-sr-xr-x 11 root bin 1921024 Nov 6 2001
/usr/sbin/swinstall
- -r-sr-xr-x 2 root bin 1028096 Nov 6 2001
/usr/sbin/swpackage
Workaround:
NSFOCUS suggests to temporarily removing the suid root bit for all
programs.
Vendor Status:
2002.11.19 Informed the vendor
2002.12.05 Vendor confirmed the vulnerability
2003.11.05 Vendor released a security bulletin (HPSBUX0311-294) and
relative patches for the vulnerability.
Detailed information for the HP security bulletin is available at:
<http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0311-294>
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0311-294
Note: Valid ITRC account is required for the link above.
Patch ID:
* HP-UX B.11.22 PHCO_29329
* HP-UX B.11.11 PHCO_29495
* HP-UX B.11.00 PHCO_29284
* HP-UX B.10.20 PHCO_26158
ADDITIONAL INFORMATION
The original advisory can be downloaded from:
<http://www.nsfocus.com/english/homepage/research/0308.htm>
http://www.nsfocus.com/english/homepage/research/0308.htm.
The information has been provided by <mailto:security@nsfocus.com>
NSFOCUS Security Team.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Auto Directory Index Cross-Site Scripting Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
