COMMAND
/usr/contrib/bin/nettune
SYSTEMS AFFECTED
HP-UX
PROBLEM
As shipped, the HP-UX program /usr/contrib/bin/nettune is SETUID
root.
When SETUID root, nettune allows reconfiguration of ICMP, IP,
and TCP kernel parameters by ANY user. The vulnerability can
result in a denial of service.
nettune can reset any of the following parameters:
% nettune -l
arp_killcomplete = 1200 default = 1200 min = 60 max = 3600 units = seconds
arp_killincomplete = 600 default = 600 min = 30 max = 3600 units = seconds
arp_unicast = 300 default = 300 min = 60 max = 3600 units = seconds
arp_rebroadcast = 60 default = 60 min = 30 max = 3600 units = seconds
icmp_mask_agent = 0 default = 0 min = 0 max = 1
ip_defaultttl = 255 default = 255 min = 0 max = 255 units = hops
ip_forwarding = 0 default = 1 min = 0 max = 1
ip_intrqmax = 50 default = 50 min = 10 max = 1000 units = entries
pmtu_defaulttime = 20 default = 20 min = 10 max = 32768
tcp_localsubnets = 1 default = 1 min = 0 max = 1
tcp_receive = 32768 default = 32768 min = 256 max = 262144 units = bytes
tcp_send = 32768 default = 32768 min = 256 max = 262144 units = bytes
tcp_defaultttl = 64 default = 64 min = 0 max = 255 units = hops
tcp_keepstart = 7200 default = 7200 min = 5 max = 12000 units = seconds
tcp_keepfreq = 75 default = 75 min = 5 max = 2000 units = seconds
tcp_keepstop = 600 default = 600 min = 10 max = 4000 units = seconds
tcp_maxretrans = 12 default = 12 min = 4 max = 12
tcp_urgent_data_ptr = 0 default = 0 min = 0 max = 1
udp_cksum = 1 default = 1 min = 0 max = 1
udp_defaultttl = 64 default = 64 min = 0 max = 255 units = hops
udp_newbcastenable = 1 default = 1 min = 0 max = 1
udp_pmtu = 0 default = 0 min = 0 max = 1
tcp_pmtu = 1 default = 1 min = 0 max = 1
tcp_random_seq = 0 default = 0 min = 0 max = 2