[VulnWatch] NSFOCUS SA2003-08: HP-UX libc NLSPATH Environment Variable Privilege Elevation Vulnerability

From: NSFOCUS Security Team (security_at_nsfocus.com)
Date: 11/13/03

  • Next message: advisories: "[VulnWatch] Corsaire Security Advisory: PeopleSoft Gateway Administration servlet path disclosure issue"
    To: bugtraq@securityfocus.com
    Date: Thu, 13 Nov 2003 17:44:41 +0800
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    NSFOCUS Security Advisory(SA2003-08)

    Topic: HP-UX libc NLSPATH Environment Variable Privilege Elevation Vulnerability

    Release Date: 2003-11-13

    CVE CAN ID: CAN-2003-0090

    http://www.nsfocus.com/english/homepage/research/0308.htm

    Affected system:
    ===================
    - - HP-UX B.11.00
    - - HP-UX B.11.11

    Summary:
    =========

    NSFOCUS Security Team has found that the libc in HP-UX cannot restrict the
    NLSPATH variable used by suid root program, which causes a format string
    vulnerability. Exploiting the vulnerability local attacker could gain root
    privilege.

    Description:
    ============

    Many programs in HP-UX use catopen()/catgets() and other functions in libc
    to display localized information. When catopen() has detected the environment
    variable NLSPATH, it will open the specified file and read messages from
    it.

    However, catopen() doesn't restrict the suid root program uses NLSPATH, which
    allows local attackers to set NLSPATH variable and specify a locale file
    crafted by themselves. When the suid root program uses catopen() to open the
    message file and passes the data from it to *printf(), it might cause a format
    string vulnerability.

    Any suid root program that uses catopen()/catgets() maybe vulnerable. By exploiting
    the vulnerability local attackers could gain root privilege.

    According to the test, at least the following programs are vulnerable:

    - -r-sr-xr-x 1 root bin 45056 Nov 14 2000 /usr/bin/at
    - -r-sr-xr-x 1 root bin 24576 Nov 14 2000 /usr/bin/crontab
    - -r-sr-xr-x 1 root bin 45056 Nov 14 2000 /usr/bin/ct
    - -r-sr-xr-x 1 root bin 36864 Apr 19 2001 /usr/bin/cu
    - -r-sr-xr-x 1 root bin 20480 Nov 14 2000 /usr/lbin/exrecover
    - -r-sr-xr-x 1 root bin 40960 Aug 16 2001 /usr/bin/lp
    - -r-sr-sr-x 2 root mail 45056 Nov 14 2000 /usr/bin/mail
    - -r-sr-xr-x 5 root bin 45056 Nov 14 2000 /usr/bin/passwd
    - -r-sr-xr-x 1 root bin 24576 Nov 14 2000 /usr/bin/su
    - -r-sr-xr-x 11 root bin 1921024 Nov 6 2001 /usr/sbin/swinstall
    - -r-sr-xr-x 2 root bin 1028096 Nov 6 2001 /usr/sbin/swpackage

    Workaround:
    =============

    NSFOCUS suggests to temporarily remove the suid root bit for all the
    programs. However, it might brings about many inconvenience. You are suggested
    to apply the appropriate patch at the earliest possibility.

    Vendor Status:
    ==============

    2002.11.19 Informed the vendor
    2002.12.05 Vendor confirmed the vulnerability
    2003.11.05 Vendor released a security bulletin (HPSBUX0311-294) and relative
                patches for the vulnerability.

    Detailed information for the HP security bulletin is available at:
    http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0311-294

    Note: Valid ITRC account is required for the link above.

    Patch ID:

    HP-UX B.11.22 PHCO_29329
    HP-UX B.11.11 PHCO_29495
    HP-UX B.11.00 PHCO_29284
    HP-UX B.10.20 PHCO_26158

    Additional Information:
    ========================

    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    name CAN-2003-0090 to this issue. This is a candidate for inclusion in the
    CVE list (http://cve.mitre.org), which standardizes names for security
    problems. Candidates may change significantly before they become official
    CVE entries.

    Acknowledgment
    ===============

    Yang Jilong of NSFOCUS Security Team found the vulnerability.

    DISCLAIMS:
    ==========
    THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
    OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
    EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
    BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
    INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
    EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
    ADVISORY IS NOT MODIFIED IN ANY WAY.

    Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use.

    NSFOCUS Security Team <security@nsfocus.com>
    NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
    (http://www.nsfocus.com)

    PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
    Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 aF6DA
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQE/s1KJ1794d8am9toRAjuxAJ9G7Y0zGPICg3Xi4HEOcWaTqAEXnwCfcMjj
    IrBO1cVWJ0MLfLUdK0C8fAY=
    =McFd
    -----END PGP SIGNATURE-----


  • Next message: advisories: "[VulnWatch] Corsaire Security Advisory: PeopleSoft Gateway Administration servlet path disclosure issue"