[UNIX] HP-UX libc NLSPATH Environment Variable Privilege Elevation Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 11/16/03

Next message: SecuriTeam: "[NT] PeopleSoft Gateway Administration Servlet Path Disclosure"

Previous message: SecuriTeam: "[UNIX] Auto Directory Index Cross-Site Scripting Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 16 Nov 2003 18:07:27 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

HP-UX libc NLSPATH Environment Variable Privilege Elevation Vulnerability
------------------------------------------------------------------------

SUMMARY

NSFOCUS Security Team has found that the libc in HP-UX does not restrict
the NLSPATH variable used by suid root program. This allows a local
attacker to cause a format string vulnerability.

DETAILS

Vulnerable systems:
* HP-UX B.11.00
* HP-UX B.11.11

Many programs in HP-UX use catopen()/catgets() (and other functions) found
in libc to display localized information. When catopen() detects the
environment variable NLSPATH, it will open the specified file and read
messages from it.

However, catopen() doesn't restrict the suid root program's use of
NLSPATH. This allows local attackers to set NLSPATH variable to an
arbitrary file (controlled by the attacker). When the suid root program
uses catopen() to open the message file and pass the data from it to
*printf(), a format string vulnerability might occur.

Any suid root program that uses catopen()/catgets() is at risk. By
exploiting the vulnerability local attackers can gain root privileges.

According to NSFOCUS's tests, at least the following programs are
vulnerable:
- -r-sr-xr-x 1 root bin 45056 Nov 14 2000 /usr/bin/at
- -r-sr-xr-x 1 root bin 24576 Nov 14 2000
/usr/bin/crontab
- -r-sr-xr-x 1 root bin 45056 Nov 14 2000 /usr/bin/ct
- -r-sr-xr-x 1 root bin 36864 Apr 19 2001 /usr/bin/cu
- -r-sr-xr-x 1 root bin 20480 Nov 14 2000
/usr/lbin/exrecover
- -r-sr-xr-x 1 root bin 40960 Aug 16 2001 /usr/bin/lp
- -r-sr-sr-x 2 root mail 45056 Nov 14 2000 /usr/bin/mail
- -r-sr-xr-x 5 root bin 45056 Nov 14 2000
/usr/bin/passwd
- -r-sr-xr-x 1 root bin 24576 Nov 14 2000 /usr/bin/su
- -r-sr-xr-x 11 root bin 1921024 Nov 6 2001
/usr/sbin/swinstall
- -r-sr-xr-x 2 root bin 1028096 Nov 6 2001
/usr/sbin/swpackage

Workaround:
NSFOCUS suggests to temporarily removing the suid root bit for all
programs.

Vendor Status:
2002.11.19 Informed the vendor
2002.12.05 Vendor confirmed the vulnerability
2003.11.05 Vendor released a security bulletin (HPSBUX0311-294) and
relative patches for the vulnerability.

Detailed information for the HP security bulletin is available at:
<http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0311-294>
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0311-294

Note: Valid ITRC account is required for the link above.

Patch ID:
* HP-UX B.11.22 PHCO_29329
* HP-UX B.11.11 PHCO_29495
* HP-UX B.11.00 PHCO_29284
* HP-UX B.10.20 PHCO_26158

ADDITIONAL INFORMATION

The original advisory can be downloaded from:
<http://www.nsfocus.com/english/homepage/research/0308.htm>
http://www.nsfocus.com/english/homepage/research/0308.htm.

The information has been provided by <mailto:security@nsfocus.com>
NSFOCUS Security Team.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[NT] PeopleSoft Gateway Administration Servlet Path Disclosure"

Previous message: SecuriTeam: "[UNIX] Auto Directory Index Cross-Site Scripting Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: HPSBUX02203 SSRT071339 rev.1 - HP-UX Running Portable File System (PFS), Remote Increase
... SUPPORT COMMUNICATION - SECURITY BULLETIN ... (PFS), Remote Increase
in Privilege ... VULNERABILITY SUMMARY ... HP-UX B.11.00 is obsolete as of
January 1, ... (comp.sys.hp.hpux)
[UNIX] Remote Buffer Overflow Vulnerability in HP-UX Line Printer Daemon
... Remote Buffer Overflow Vulnerability in HP-UX Line Printer Daemon ...
The following security advisory is sent to the securiteam mailing list, and can be found at the
SecuriTeam web site: http://www.securiteam.com ... (Securiteam)
Re: Do I need these TCP services?
... Bastion Host Using HP-UX 10". ... a critical component in a network
security system. ... firewall administrator as a critical strong point in the network's security.
... (comp.sys.hp.hpux)
[security bulletin] HPSBMA02242 SSRT061260 rev.3 - HP OpenView Network Node Manager (OV NNM) Run
... The information in this Security Bulletin should be acted upon as soon as possible.
... A potential vulnerability has been identified with HP OpenView Network Node Manager (OV NNM)
running Shared Trace Service. ... HP-UX ... PHSS_36901 or subsequent ...
(Bugtraq)
[security bulletin] SSRT051037 HP-UX Running IPSec Remote Unauthorized Access
... SUPPORT COMMUNICATION - SECURITY BULLETIN ... HPSBUX02082 SSRT051037 HP-UX
Running IPSec Remote Unauthorized ... A potential security vulnerability has been discovered
with HP-UX ... Security Bulletins via Email: ... (Bugtraq)