Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Vunerability in HP sysdiag ?
From: avarvit () cc ece ntua gr (Aggelos P. Varvitsiotis)
Date: Wed, 25 Sep 1996 12:22:47 +0300

"John W. Jacobi" <jjacobi () nova umuc edu> wrote:
Hi all,

If this is out, I apologize.

Subject: Vunerability in HP sysdiag ???

Program and Systems that I did this on:
        The sysdiag program on
           HP 9000/700/HPUX9.05 (has PHSS_7587)
           HP 9000/800/HPUX9.04 (not sure of patch regarding diags)

To Prevent:
        For now, turn off the set uid on the programs involved.

This is how it worked for me, perhaps you too:


        Basically, the sysdiag stuff is set-uid root.  You can exploit that
feature to create and write stuff to arbitrary files on the system as
while not being root.  If the target file you want to create exists,
doesn't work.  Perhaps there is a way around that, but that ain't the
The point is that I used this to get root in 30 seconds on my HP's and
not good.  Heck, this is probably faster then asking for the root
password !!!
[rest of message deleted]

I verified it for HP-UX 9.0X. Not only that, though. It is not sufficient
to chmod u-s /bin/sysdiag. This leaves behind a bunch of programs in
/usr/diag/bin which are still setuid to root and behave quite the same
(i.e., they don't check for symlinks while creating 0666 log or temp
files). A non-priviledged user can use any of these to create 0666
/.rhosts (or whatever else) files, with the known consequences.

Proposed solution:
root# chmod u-s /bin/sysdiag /usr/diag/bin/*

The question in jjacobi's other mail(s) remains: is there a single source
for this line of vulnerabilities? In which HP-UX releases?

A. Varvitsiotis

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]