Date: 8/3/97 11:13:53 AM From: Darren Reed Subject: BoS: HP Security Bulletins Digest (fwd) To: (""@LOCAL) In some mail from Aleph One, sie said: > From owner-bugtraq@NETSPACE.ORG Fri Aug 1 04:29:22 EST 1997 > Approved-By: aleph1@UNDERGROUND.ORG > Mime-Version: 1.0 > Content-Type: TEXT/PLAIN; charset=US-ASCII > Date: Thu, 31 Jul 1997 12:11:26 -0500 > Reply-To: Aleph One > Sender: Bugtraq List > From: Aleph One > Subject: HP Security Bulletins Digest > To: BUGTRAQ@NETSPACE.ORG > > HP Support Information Digests > > =============================================================================== > o HP Electronic Support Center World Wide Web Service > --------------------------------------------------- > > If you subscribed through the HP Electronic Support Center and would > like to be REMOVED from this mailing list, access the > HP Electronic Support Center on the World Wide Web at: > > http://us-support.external.hp.com > > Enter the Support Information Digests service as a registered user, > using your HP Electronic Support Center User ID and Password to login. > You may then unsubscribe from the appropriate digest. > =============================================================================== > > > Digest Name: Daily Security Bulletins Digest > Created: Wed Jul 30 17:08:34 PDT 1997 > > Table of Contents: > > Document ID Title > --------------- ----------- > HPSBUX9611-041 Vulnerability with Large UID's and GID's in HP-UX 10.20 > HPSBUX9707-067 Buffer overflows in X11/Motif libraries > HPSBUX9707-068 Security Vulnerability in Novell Netware 3.12 on HP-UX > > The documents are listed below. > ------------------------------------------------------------------------------- > > > Document ID: HPSBUX9611-041 > Date Loaded: 970730 > Title: Vulnerability with Large UID's and GID's in HP-UX 10.20 > > ------------------------------------------------------------------------- > **REVISED 02**HEWLETT-PACKARD SECURITY BULLETIN: #00041, 20 January 1997 > Last Revised: 29 July 1997 > ------------------------------------------------------------------------- > > The information in the following Security Bulletin should be acted upon > as soon as possible. Hewlett Packard will not be liable for any > consequences to any customer resulting from customer's failure to fully > implement instructions in this Security Bulletin as soon as possible. > > ------------------------------------------------------------------------- > > PROBLEM: Use of user or group id's greater than 60000 > > PLATFORM: HP 9000 series 700/800 systems running version 10.20 > > DAMAGE: Increase in capability and unauthorized access > > SOLUTION: **REVISED 01** > Install PHSS_9343, PHNE_9377, and PHNE_9504. Then examine > the system for suid files that may not be safe for a large > uid/gid system. Any such files must be certified by their > providers as safe for use in large uid/gid system. > **REVISED 02** > Apply patch PHSS_11309. PHSS_9799, which superseded > PHSS_9343, inadvertently omitted the fix. > Do not use PHSS_9799; it is now unavailable. > Both PHSS_9343 and PHSS_9799 have been superseded by > PHSS_11309, which does have the fix. > > AVAILABILITY: PHSS_9343, PHNE_9377, PHNE_9504 and PHSS_11309 are > available now. > > CHANGE SUMMARY: **REVISED 02** > One of the patches needed, PHSS_9343 (hpterm) was > superseded by a patch that omitted the fix, PHSS_9799. > Do not use PHSS_9799. It has been superseded by PHSS_11309. > > PHSS_9343 has also been superseded by PHSS_11309. You can > continue to use PHSS_9343. However, PHSS_11309 has additional > defect fixes and you may want to install it. > > NOTE: You still need to install PHNE_9377 and PHNE_9504 or > subsequent. You also need to examine the system for suid > files that may not be safe for a large uid/gid system. > ------------------------------------------------------------------------- > > I. > A. Background > Large user and group id's are new features of HP-UX revision 10.20. > Requirements for a program to work in a large uid/gid system are > detailed in the 10.20 Release Notes. In particular the uid or gid > must not be stored in a short int. Doing so in a suid program > can result in an increase in capability, including root access. > > The suid files in the following filesets have been examined and > are free of the security vulnerability (after installing the > patches listed above). This only implies that the files are free > from the vulnerability. It does not necessarily mean that the > programs in that fileset will work properly in a large uid/gid > system. > > 100VG-RUN, AB-NET, AB-RUN, AB-SUPPORT, ACCOUNTNG, AGRM, ASU, > AUDIO-SRV, CDE-DTTERM, CDE-RUN, CMDS-AUX, CMDS-MIN, > DCE-CORE-RUN, DDX-FREEDOM, DVC-SRV, DVC-SRV, EDITORS, > FAX-SER-CMN, FCEISA-RUN, FCHSC-RUN, FDDI6-RUN, FTAM, GLANCE, > GLANCE, GPM, HPNP-RUN, HPNP-RUN, HPPAK, HPPB100BT-RUN, > INETSVCS-RUN, LAN-RUN, LMU, LP-SPOOL, LVM-RUN, LVM-RUN, > MAILERS, MAPCHAN-CMD, MCSE-CORE, MPOWER-CLIENT, NET-RUN, > NFS-CLIENT, NIS-CLIENT, OM-ADM, OM-BB, OM-CCMOB, OM-CORE, > OM-DESK, OM-DSYNC, OM-FAX, OM-LC, OM-NOTES, OM-P7, > OM-PMOVER, OM-RC, OM-SMS, OM-SNOOP, OM-UNIX, OM-X400, > OMNI-CORE, OTS-RUN, OVNNM-RUN, PHIGS-RUN, PHIGS-RUN, > PR-INFORMIX, PRM-RUN, RUPDATE, SAM, SCAN-CFG, SD-CMDS, > SLIP-RUN, SNAP-COMMON, SNAP-RJE, SNAP2-CORE, SNAP2-RJE, > STAR-RUN, SYS-ADMIN, SYSCOM, TERM-MNGR-MIN, TOKEN1-RUN, > TOKEN2-RUN, TOKEN3-RUN, UPG-ANALYSIS, UUCP, UX-CORE, > VUE-RUN, WTNETSCAPE2-RU, X11-RUN-CL, X11-RUN-CTRB, X400-RUN > > Note: The fact that a fileset is missing from the list above > does not mean it is suspect. It may mean the fileset contains > no suid files. The script below can be used to identify suid > files that are not contained in known safe filesets. > > > B. Fixing the problem > > Install the patches listed above and examine all suid files. > The following script will identify suspect suid files. > The provider of any suspect file should be contacted to confirm > that the program is safe for use in a large uid/gid system. > > Note: The script was tested on a system with one file system. > If you have a different configuration (nfs mounted file systems, > for example), you may want to modify the find(1) command. > > Note: Some suid files may be listed under the fileset of > a patch as well as under the primary fileset. In that case: > > 1. Use swlist to find all the instances of each file. > > For example: > > # swlist -l file | grep vueaction > PHSS_8537.PHSS_8537: /usr/vue/bin/vueaction > VUE.VUE-MAN: /usr/share/man/man1.Z/vueaction.1 > VUE.VUE-RUN: /usr/vue/bin/vueaction > # swlist -l file | grep vuehello > ... > > > 2. Verify that the primary (non-patch) fileset is on the > list of large uid/gid safe filesets. In this case > VUE-RUN is on the list. > > 3. Add the patch fileset (PHSS_8537 in this example) to the > list of safe filesets in the script below. For example: > > -e PHSS_8537: \ > > > C. Recommended solution > > #!/bin/sh > echo "###############################################################" > echo "# #" > echo "# Finds suid files that are suspect in a large uid/gid #" > echo "# system. Those would be any suid file not in one #" > echo "# of the following filesets: #" > echo "# #" > echo "#100VG-RUN, AB-NET, AB-RUN, AB-SUPPORT, ACCOUNTNG, AGRM, ASU, #" > echo "#AUDIO-SRV, CDE-DTTERM, CDE-RUN, CMDS-AUX, CMDS-MIN, #" > echo "#DCE-CORE-RUN, DDX-FREEDOM, DVC-SRV, DVC-SRV, EDITORS, #" > echo "#FAX-SER-CMN, FCEISA-RUN, FCHSC-RUN, FDDI6-RUN, FTAM, GLANCE, #" > echo "#GLANCE, GPM, HPNP-RUN, HPNP-RUN, HPPAK, HPPB100BT-RUN, #" > echo "#INETSVCS-RUN, LAN-RUN, LMU, LP-SPOOL, LVM-RUN, LVM-RUN, #" > echo "#MAILERS, MAPCHAN-CMD, MCSE-CORE, MPOWER-CLIENT, NET-RUN, #" > echo "#NFS-CLIENT, NIS-CLIENT, OM-ADM, OM-BB, OM-CCMOB, OM-CORE, #" > echo "#OM-DESK, OM-DSYNC, OM-FAX, OM-LC, OM-NOTES, OM-P7, #" > echo "#OM-PMOVER, OM-RC, OM-SMS, OM-SNOOP, OM-UNIX, OM-X400, #" > echo "#OMNI-CORE, OTS-RUN, OVNNM-RUN, PHIGS-RUN, PHIGS-RUN, #" > echo "#PR-INFORMIX, PRM-RUN, RUPDATE, SAM, SCAN-CFG, SD-CMDS, #" > echo "#SLIP-RUN, SNAP-COMMON, SNAP-RJE, SNAP2-CORE, SNAP2-RJE, #" > echo "#STAR-RUN, SYS-ADMIN, SYSCOM, TERM-MNGR-MIN, TOKEN1-RUN, #" > echo "#TOKEN2-RUN, TOKEN3-RUN, UPG-ANALYSIS, UUCP, UX-CORE, #" > echo "#VUE-RUN, WTNETSCAPE2-RU, X11-RUN-CL, X11-RUN-CTRB, X400-RUN #" > echo "# #" > echo "# Note: This assumes that the patches listed in #" > echo "# HP Security Bulletin 41 are installed. #" > echo "# #" > echo "# As you qualify other suid files you may want to #" > echo "# modify this script. #" > echo "# #" > echo "###############################################################" > td=/tmp/suid_temp > mkdir $td > ########################################################## > # find all suid files > ########################################################## > echo find all suid files: > echo "find / -type f -perm -u+s -print >$td/suid_files" > find / -type f -perm -u+s -print >$td/suid_files > > ########################################################## > # list all files in all installed filesets > ########################################################## > echo list all files in all installed filesets: > echo "swlist -l file >$td/swlist.file" > swlist -l file >$td/swlist.file > > ########################################################## > # extract the suid files from the list all files > # in all installed filesets > ########################################################## > echo find suspect suid files > grep -Ff $td/suid_files $td/swlist.file > $td/swlist.suid > > ########################################################## > # make a list of all the filesets containing suid files > ########################################################## > awk '{print $1}' $td/swlist.suid | cut -f 2 -d\. \ > | sort -u >$td/suid_filesets > > ########################################################## > # remove from the list all the filesets known to be > # large uid/gid safe > ########################################################## > > grep -ve 100VG-RUN: -e AB-NET: -e AB-RUN: -e AB-SUPPORT: \ > -e ACCOUNTNG: -e AGRM: -e ASU: -e AUDIO-SRV: -e CDE-DTTERM: \ > -e CDE-RUN: -e CMDS-AUX: -e CMDS-MIN: -e DCE-CORE-RUN: \ > -e DDX-FREEDOM: -e DVC-SRV: -e DVC-SRV: -e EDITORS: \ > -e FAX-SER-CMN: -e FCEISA-RUN: -e FCHSC-RUN: -e FDDI6-RUN: \ > -e FTAM: -e GLANCE: -e GLANCE: -e GPM: -e HPNP-RUN: \ > -e HPNP-RUN: -e HPPAK: -e HPPB100BT-RUN: -e INETSVCS-RUN: \ > -e LAN-RUN: -e LMU: -e LP-SPOOL: -e LVM-RUN: -e LVM-RUN: \ > -e MAILERS: -e MAPCHAN-CMD: -e MCSE-CORE: \ > -e MPOWER-CLIENT: -e NET-RUN: -e NFS-CLIENT: -e NIS-CLIENT: \ > -e OM-ADM: -e OM-BB: -e OM-CCMOB: -e OM-CORE: \ > -e OM-DESK: -e OM-DSYNC: -e OM-FAX: -e OM-LC: -e OM-NOTES: \ > -e OM-P7: -e OM-PMOVER: -e OM-RC: -e OM-SMS: \ > -e OM-SNOOP: -e OM-UNIX: -e OM-X400: -e OMNI-CORE: \ > -e OTS-RUN: -e OVNNM-RUN: -e PHIGS-RUN: -e PHIGS-RUN: \ > -e PR-INFORMIX: -e PRM-RUN: -e RUPDATE: -e SAM: \ > -e SCAN-CFG: -e SD-CMDS: -e SLIP-RUN: -e SNAP-COMMON: \ > -e SNAP-RJE: -e SNAP2-CORE: -e SNAP2-RJE: -e STAR-RUN: \ > -e SYS-ADMIN: -e SYSCOM: -e TERM-MNGR-MIN: -e TOKEN1-RUN: -e UUCP: \ > -e TOKEN2-RUN: -e TOKEN3-RUN: -e UPG-ANALYSIS: \ > -e UX-CORE: -e VUE-RUN: -e WTNETSCAPE2-RU: -e X11-RUN-CL: \ > -e X11-RUN-CTRB: -e X400-RUN: \ > $td/suid_filesets >$td/suid_suspect_filesets > > ########################################################## > # make a list of all the files in the suspect filesets > ########################################################## > grep -Ff $td/suid_suspect_filesets $td/swlist.file \ > >$td/suid_suspect_filesets_files > > ########################################################## > # extract just the suid files from the suspect filesets > ########################################################## > > echo "The following suid files are suspect in a large uid/gid system:" \ > >$td/suid_suspect_files > echo "Fileset: File">>$td/suid_suspect_files > echo "-------------------------------------------" >>$td/suid_suspect_files > grep -Ff $td/suid_files $td/suid_suspect_filesets_files \ > >$td/suid_suspect_files > > ########################################################## > # suid files that are not in filesets are suspect > ########################################################## > for i in `cat $td/suid_files` > do > count=`grep -c $i $td/swlist.file` > if [ $count -eq 0 ] > then > echo "not_in_a_fileset: $i" >>$td/suid_suspect_files > fi > done > > cat $td/suid_suspect_files > echo "The list of suspect suid files is in $td/suid_suspect_files" > exit > ##################### end ########################################### > > D. Impact of the patch > Installs large uid/gid safe programs. > > E. To subscribe to automatically receive future NEW HP > Security Bulletins from the HP SupportLine Digest service via > electronic mail, do the following: > > 1) From your Web browser, access the URL: > > http://us-support.external.hp.com (US,Canada, Asia-Pacific, > and Latin-America) > > http://europe-support.external.hp.com (Europe) > > 2) On the HP Electronic Support Center main screen, select > the hyperlink "Support Information Digests". > > 3) On the "Welcome to HP's Support Information Digests" screen, > under the heading "Register Now", select the appropriate > hyperlink "Americas and Asia-Pacific", or "Europe". > > 4) On the "New User Registration" screen, fill in the fields > for the User Information and Password and then select the > button labeled "Submit New User". > > 5) On the "User ID Assigned" screen, select the hyperlink > "Support Information Digests". > > **Note what your assigned user ID and password are for future > reference. > > 6) You should now be on the "HP Support Information Digests > Main" screen. You might want to verify that your email address > is correct as displayed on the screen. From this screen, you > may also view/subscribe to the digests, including the security > bulletins digest. > > To get a patch matrix of current HP-UX and BLS security > patches referenced by either Security Bulletin or Platform/OS, > click on following screens in order: > > Technical Knowledge Database > Browse Security Bulletins > Security Bulletins Archive > HP-UX Security Patch Matrix > > > F. To report new security vulnerabilities, send email to > > security-alert@hp.com > > Please encrypt any exploit information using the security-alert > PGP key, available from your local key server, or by sending a > message with a -subject- (not body) of 'get key' (no quotes) to > security-alert@hp.com. > > > Permission is granted for copying and circulating this Bulletin to > Hewlett-Packard (HP) customers (or the Internet community) for the > purpose of alerting them to problems, if and only if, the Bulletin > is not edited or changed in any way, is attributed to HP, and > provided such reproduction and/or distribution is performed for > non-commercial purposes. > > Any other use of this information is prohibited. HP is not liable > for any misuse of this information by any third party. > ________________________________________________________________________ > -----End of Document ID: HPSBUX9611-041-------------------------------------- > > > Document ID: HPSBUX9707-067 > Date Loaded: 970730 > Title: Buffer overflows in X11/Motif libraries > > ------------------------------------------------------------------------- > HEWLETT-PACKARD SECURITY BULLETIN: #00067, 30 July 1997 > ------------------------------------------------------------------------- > > The information in the following Security Bulletin should be acted upon > as soon as possible. Hewlett Packard will not be liable for any > consequences to any customer resulting from customer's failure to fully > implement instructions in this Security Bulletin as soon as possible. > > ------------------------------------------------------------------------- > PROBLEM: Buffer overflows in X11/Motif libraries. > > PLATFORM: HP9000 Series 700/800 running releases 9.X and 10.X > > DAMAGE: Suid/sgid programs linked with X11/Motif libraries can > be exploited to increase privileges. > > SOLUTION: Install the patches listed below. Any programs that are > linked archived with any previous versions of the X11/Motif > libraries must be relinked with the libraries in the patches. > > AVAILABILITY: The patches are available now. > ------------------------------------------------------------------------- > I. > A. Background - Several buffer overflow conditions have been > identified. These have been present in all > previous versions of the X11/Motif libraries. > > B. Fixing the problem - Install the applicable patches: > > PHSS_11626 9.X X11R5/Motif1.2 Runtime > PHSS_11627 9.X X11R5/Motif1.2 Development > > PHSS_11043 10.0X X11R5/Motif1.2 Runtime (also for 10.10) > PHSS_11044 10.0X X11R5/Motif1.2 Development > > PHSS_11043 10.10 X11R5/Motif1.2 Runtime (also for 10.0X) > PHSS_11045 10.10 X11R5/Motif1.2 Development > > PHSS_11628 10.20 X11R5/Motif1.2 Runtime > PHSS_11629 10.20 X11R5/Motif1.2 Development > > PHSS_11628 10.20 X11R6/Motif1.2 Runtime > PHSS_11630 10.20 X11R6/Motif1.2 Development > > PHSS_9858 9.X VUE 3.0 > > PHSS_9804 10.01 VUE 3.0 > > PHSS_9805 10.10/10.20 VUE 3.0 > > PHSS_11373 9.X JSE A.B9.40 > > Then relink any suid/sgid programs that use X11 or Motif archived > libraries. > > C. Recommended solution - Install the applicable patches and > relink archived suid/sgid programs. > > D. Impact of the patch - The fixes are in the X11/Motif patches. > The VUE and JSE patches make use of the libraries in the > X11/Motif patches. > > E. To subscribe to automatically receive future NEW HP Security > Bulletins from the HP Electronic Support Center via electronic > mail, do the following: > > User your browser to get to the HP Electronic Support Center page > at: > > http://us-support.external.hp.com > (for US, Canada, Asia-Pacific, & Latin-America) > > http://europe-support.external.hp.com > (for Europe) > > Click on the Technical Knowledge Database, register as a user > (remember to save the User ID assigned to you, and your password), > and it will connect to a HP Search Technical Knowledge DB page. > Near the bottom is a hyperlink to our Security Bulletin archive. > Once in the archive there is another link to our current > security patch matrix. Updated daily, this matrix is categorized > by platform/OS release, and by bulletin topic. > > F. To report new security vulnerabilities, send email to > > security-alert@hp.com > > Please encrypt any exploit information using the security-alert > PGP key, available from your local key server, or by sending a > message with a -subject- (not body) of 'get key' (no quotes) to > security-alert@hp.com. > > Permission is granted for copying and circulating this Bulletin to > Hewlett-Packard (HP) customers (or the Internet community) for the > purpose of alerting them to problems, if and only if, the Bulletin > is not edited or changed in any way, is attributed to HP, and > provided such reproduction and/or distribution is performed for > non-commercial purposes. > > Any other use of this information is prohibited. HP is not liable > for any misuse of this information by any third party. > ________________________________________________________________________ > -----End of Document ID: HPSBUX9707-067-------------------------------------- > > > Document ID: HPSBUX9707-068 > Date Loaded: 970730 > Title: Security Vulnerability in Novell Netware 3.12 on HP-UX > > ------------------------------------------------------------------------- > HEWLETT-PACKARD SECURITY BULLETIN: #00068, 30 July 1997 > ------------------------------------------------------------------------- > > The information in the following Security Bulletin should be acted upon > as soon as possible. Hewlett Packard will not be liable for any > consequences to any customer resulting from customer's failure to fully > implement instructions in this Security Bulletin as soon as possible. > > ------------------------------------------------------------------------- > > PROBLEM: Novell Netware 3.12 release B.10.08 or earlier, and B.09.05 or > earlier allows unauthorized users to read files. > > PLATFORM: HP 9000 Series 700/800s running only specific releases of HP-UX > 9.X and 10.X. See below. > > DAMAGE: Allows users unauthorized file read access. > > SOLUTION: Apply the following patches as needed: > PHNE_11684 for HP-UX release 9.04, or > PHNE_11341 for HP-UX release 10.01, and > PHNE_11722 for HP-UX release 10.01, or > PHNE_11723 for HP-UX release 10.10, or > PHNE_11724 for HP-UX release 10.20. > > AVAILABILITY: All patches are available now. > ------------------------------------------------------------------------- > I. > A. Background > Hewlett-Packard Company has discovered a defect in the Novell > Netware 3.12 product running on HP-UX. This defect is seen on > both 9.04 and 10.X operating systems, and allows users to read > files from an unauthorized PC. Native Netware is exempt from > this defect. > > NOTE: The product in question only runs on HP-UX releases 9.04, > 10.01, 10.10, or 10.20. > > B. Fixing the problem > For HP-UX 9.04 users, simply obtain Netware release B.09.08.002 > to be used as a full product replacement. This is the patch > PHNE_11684. Installation will require rebooting the server. > > For 10.01 users, before continuing to use Netware, first obtain > PHNE_10341 (the full product replacement patch B.10.08) and then > apply patch PHNE_11722 (B.10.08.002). PHNE_11722 will not > install unless PHNE_10341 has been previously installed. > > For HP-UX 10.10 and 10.20 update to the Netware B.10.08 release > from the latest application release CD, DART32 or newer. > Then install the appropriate patch (see above). > > C. Recommended solution > The patch is a cumulative patch and and fully fixes the > discovered vulnerability. > > D. To subscribe to automatically receive future NEW HP Security > Bulletins from the HP SupportLine Digest service via electronic > mail, do the following: > > 1) From your Web browser, access the URL: > > http://us-support.external.hp.com > (for US,Canada, Asia-Pacific, and Latin-America) > > http://europe-support.external.hp.com (for Europe) > > 2) On the HP Electronic Support Center main screen, select > the hyperlink "Support Information Digests". > > 3) On the "Welcome to HP's Support Information Digests" screen, > under the heading "Register Now", select the appropriate > hyperlink "Americas and Asia-Pacific", or "Europe". > > 4) On the "New User Registration" screen, fill in the fields for > the User Information and Password and then select the button > labeled "Submit New User". > > 5) On the "User ID Assigned" screen, select the hyperlink > > "Support Information Digests". > > ** Note what your assigned user ID and password are for > future reference. > > 6) You should now be on the "HP Support Information Digests Main" > screen. You might want to verify that your email address is > correct as displayed on the screen. From this screen, you may > also view/subscribe to the digests, including the security > bulletins digest. > > To get a patch matrix of current HP-UX and BLS security patches > referenced by either Security Bulletin or Platform/OS, click on > following screens in order: > Technical Knowledge Database > Browse Security Bulletins > Security Bulletins Archive > HP-UX Security Patch Matrix > > E. To report new security vulnerabilities, send email to > > security-alert@hp.com > > Please encrypt any exploit information using the security-alert > PGP key, available from your local key server, or by sending a > message with a -subject- (not body) of 'get key' (no quotes) to > security-alert@hp.com. > > Permission is granted for copying and circulating this Bulletin to > Hewlett-Packard (HP) customers (or the Internet community) for the > purpose of alerting them to problems, if and only if, the Bulletin is > not edited or changed in any way, is attributed to HP, and provided > such reproduction and/or distribution is performed for non-commercial > purposes. > > Any other use of this information is prohibited. HP is not liable > for any misuse of this information by any third party. > _______________________________________________________________________ > -----End of Document ID: HPSBUX9707-068-------------------------------------- >