MCI Telecommunications internetMCI Security Group Report Title: iMCI MIIGS Security Alert Report Name: HP-UX newgrp exposure Report Number: iMCISE:IMCICERT:01996:01:P1R4 Report Date: 01/09/96 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) -------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT(sm) Advisory CA-97.02 Original issue date: January 7, 1997 Last revised: --- Topic: HP-UX newgrp Buffer Overrun Vulnerability - ----------------------------------------------------------------------------- The text of this advisory was originally released on December 3, 1996, as AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability, developed by AUSCERT. Because of the seriousness of the problem, we are reprinting the AUSCERT advisory here with their permission. Only the contact information at the end has changed: AUSCERT contact information has been replaced with CERT/CC contact information. We will update this advisory as we receive additional information. Look for it in an "Updates" section at the end of the advisory. =========================================================================== AUSCERT has received information that a vulnerability exists in the newgrp(1) program under HP-UX 9.x and 10.x. This vulnerability may allow local users to gain root privileges. Exploit information involving this vulnerability has been made publicly available. Currently there are no vendor patches available that address this vulnerability. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. - ---------------------------------------------------------------------------- 1. Description AUSCERT has received information that a vulnerability exists in the HP-UX newgrp(1) program. The newgrp command is used to change a users group identification, and is installed by default. Due to insufficient bounds checking on arguments which are supplied by users, it is possible to overwrite the internal stack space of the newgrp program while it is executing. By supplying a carefully designed argument to the newgrp program, intruders may be able to force newgrp to execute arbitrary commands. As newgrp is setuid root, this may allow intruders to run arbitrary commands with root privileges. This vulnerability is known to affect both HP-UX 9.x and 10.x. By default, newgrp is located in /bin under HP-UX 9.x and in /usr/bin under HP-UX 10.x. Exploit information involving this vulnerability has been made publicly available. 2. Impact Local users may gain root privileges. 3. Workarounds/Solution AUSCERT recommends that sites limit the possible exploitation of this vulnerability by immediately removing the setuid permissions as stated in Section 3.1. If the newgrp command is required, AUSCERT recommends the newgrp wrapper program given in Section 3.2 be installed. Currently there are no vendor patches available that address this vulnerability. AUSCERT recommends that official vendor patches be installed when they are made available. 3.1 Remove setuid and non-root execute permissions To prevent the exploitation of the vulnerability described in the advisory, AUSCERT recommends that the setuid permissions be removed from the newgrp program immediately. As the newgrp program will no longer work for non-root users, it is recommended that the execute permissions also be removed. Before doing so, the original permissions for newgrp should be noted as they will be needed if sites choose to install the newgrp wrapper program (Section 3.2). For HP-UX 9.x: # ls -l /bin/newgrp -r-sr-xr-x 1 root sys 16384 Dec 2 13:45 /bin/newgrp # chmod 500 /bin/newgrp # ls -l /bin/newgrp -r-x------ 1 root sys 16384 Dec 2 13:45 /bin/newgrp For HP-UX 10.x: # ls -l /usr/bin/newgrp -r-sr-xr-x 1 root sys 12288 Dec 2 13:27 /usr/bin/newgrp # chmod 500 /usr/bin/newgrp # ls -l /usr/bin/newgrp -r-x------ 1 root sys 12288 Dec 2 13:27 /usr/bin/newgrp Note that this will remove the ability for any non-root user to run the newgrp program. 3.2 Install newgrp wrapper AUSCERT has developed a wrapper to help prevent programs from being exploited using the vulnerability described in this advisory. This wrapper, including installation instructions, can be found at: ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper.c This replaces the newgrp program with a wrapper which checks the length of the command line arguments passed to it. If an argument exceeds a certain predefined value (MAXARGLEN), the wrapper exits without executing the newgrp command. The wrapper program can also be configured to syslog any failed attempts to execute newgrp with arguments exceeding MAXARGLEN. For further instructions on using this wrapper, please read the comments at the top of overflow_wrapper.c. When compiling overflow_wrapper.c for use with HP-UX newgrp, AUSCERT recommends defining MAXARGLEN to be 16. The MD5 checksum for Version 1.0 of overflow_wrapper.c is: MD5 (overflow_wrapper.c) = f7f83af7f3f0ec1188ed26cf9280f6db AUSCERT recommends that until vendor patches can be installed, sites requiring the newgrp functionality apply this workaround. - ---------------------------------------------------------------------------- AUSCERT thanks Hewlett-Packard for their continued assistance and technical expertise essential for the production of this advisory. AUSCERT also thanks Information Technology Services of the University of Southern Queensland for their assistance. - ---------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information - ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT is a service mark of Carnegie Mellon University. This file: ftp://info.cert.org/pub/cert_advisories/CA-97.02.hp_newgrp http://www.cert.org click on "CERT Advisories" ============================================================================= UPDATES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMtKYYXVP+x0t4w7BAQHCQwP/cSno/KpuCbU2R0xILj/QmndRH6K/Ud2z 5EJz26jaynogNJQWB1z67KDzRHcD3dD3AjLFVjHTGg61SnoOcIYPySpqtID+WTXZ 1PHBvmO1EwD1VAFpBcNtPl9svAAxufG9MLl4xeiXCvgngsGotq+DHI9doHmaLaUw NvqWujIeNSM= =oBKV -----END PGP SIGNATURE-----