Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » HP Tru64/HP-UX C library stdio vulnerability

HP Tru64/HP-UX C library stdio vulnerability

by Nikola Strahija on March 25th, 2003 HP Tru64 and HP-UX based kernels do not check to ensure that the C library stdIO file descriptors 0-2 are valid open files before exec()ing setuid images. This could lead to possible root compromise.


I/O that are opened by a setuid process may be assigned file descriptors equivelent to those used by the C library as "standard input","standard output" and "standard error".

This may result in data written to I/O channels by an attacker and lead to possible local root compromise.

Vulnerable:
Compaq Tru64 4.0 g PK3 (BL17)
Compaq Tru64 4.0 g
Compaq Tru64 4.0 f PK7 (BL18)
Compaq Tru64 4.0 f PK6 (BL17)
Compaq Tru64 4.0 f
Compaq Tru64 5.0 a PK3 (BL17)
Compaq Tru64 5.0 a
Compaq Tru64 5.1 a PK3 (BL3)
Compaq Tru64 5.1 a PK2 (BL2)
Compaq Tru64 5.1 a PK1 (BL1)
Compaq Tru64 5.1 a
Compaq Tru64 5.1 PK6 (BL20)
Compaq Tru64 5.1 PK5 (BL19)
Compaq Tru64 5.1 PK4 (BL18)
Compaq Tru64 5.1 PK3 (BL17)
Compaq Tru64 5.1


Not vulnerable:
Compaq Nonstop Kernel S-Series 3.0
Compaq OpenVMS 5.3
Compaq OpenVMS 6.2 VAX
Compaq OpenVMS 6.2 Alpha
Compaq OpenVMS 6.2
Compaq OpenVMS 7.1 Alpha
Compaq OpenVMS 7.1 -2 Alpha
Compaq OpenVMS 7.1 VAX
Compaq OpenVMS 7.2 -2 Alpha
Compaq OpenVMS 7.2 -1H2 Alpha
Compaq OpenVMS 7.2 -1H1 Alpha
Compaq OpenVMS 7.2 VAX
Compaq OpenVMS 7.2 Alpha
Compaq OpenVMS 7.2.1 Alpha
Compaq OpenVMS 7.3 VAX
Compaq OpenVMS 7.3 Alpha
HP MPE/iX 4.0
HP MPE/iX 4.5
HP MPE/iX 5.0
HP MPE/iX 5.5
HP MPE/iX 6.0
HP MPE/iX 6.5
HP MPE/iX 7.0


Solution:
Fixes and updates are available:

Compaq Tru64 4.0 g PK3 (BL17):

HP Patch t64v40gb17-c0028500-17206-es-20030305.tar
ftp://ftp1.support.compaq.com/public/unix/v4.0g/t64v40gb17-c0028500-17206-es-20030305.tar

Compaq Tru64 4.0 g:
Compaq Tru64 4.0 f PK7 (BL18):

HP Patch t64v50ab17-c0031400-17220-es-20030305.tar
ftp://ftp1.support.compaq.com/public/unix/v5.0a/t64v50ab17-c0031400-17220-es-20030305.tar

Compaq Tru64 4.0 f PK6 (BL17):
Compaq Tru64 4.0 f:
Compaq Tru64 5.0 a PK3 (BL17):

HP Patch t64v50ab17-c0031400-17220-es-20030305.tar
ftp://ftp1.support.compaq.com/public/unix/v5.0a/t64v50ab17-c0031400-17220-es-20030305.tar

Compaq Tru64 5.0 a:
Compaq Tru64 5.1 a PK3 (BL3):

HP Patch t64v51ab3-c0106401-17256-es-20030306.tar
ftp://ftp1.support.compaq.com/public/unix/v5.1a/t64v51ab3-c0106401-17256-es-20030306.tar

Compaq Tru64 5.1 a PK2 (BL2):
Compaq Tru64 5.1 a PK1 (BL1):
Compaq Tru64 5.1 a:
Compaq Tru64 5.1 PK6 (BL20):

HP Patch t64v51b20-c0172301-17255-es-20030306.tar
ftp://ftp1.support.compaq.com/public/unix/v5.1/t64v51b20-c0172301-17255-es-20030306.tar

Compaq Tru64 5.1 PK5 (BL19):

HP Patch t64v51b19-c0143704-17254-es-20030306.tar
ftp://ftp1.support.compaq.com/public/unix/v5.1/t64v51b19-c0143704-17254-es-20030306.tar


Sources:
HP advisory SSRT0845U:
http://www.xatrix.org/article2805.html


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »