From support@us.external.hp.com Wed Mar 13 00:58:59 1996 Date: Wed, 13 Mar 1996 01:02:01 -0800 From: HPSL Mail Service Reply to: support-feedback@us.external.hp.com To: Damien Sorder Subject: RE: send doc HPSBUX9406-014 -------- ## Regarding your request: Send Doc HPSBUX9406-014 The following are the results of your request from the HP SupportLine mail service. =============================================================================== Document Id: [HPSBUX9406-014] Date Loaded: [07-07-94] Description: Patch file permissions vulnerability =============================================================================== ----------------------------------------------------------------------------- HEWLETT PACKARD SECURITY BULLETIN: #00014, 05 July 1994 ----------------------------------------------------------------------------- Hewlett-Packard recommends that the information in the following Security Bulletin should be acted upon as soon as possible. Hewlett- Packard will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. _____________________________________________________________________________ PROBLEM: Some patches may be installed with unsafe permissions. The /system/PHxx_nnnn directory may be world writable. PLATFORM: s300/s400/s700/s800 all revisions of hp-ux DAMAGE: The customize and decustomize scripts may be altered. The original files saved in the /system/PHxx_nnnn/orig directory may be replaced. SOLUTION: Do not use any of the files in the vulnerable patch directories. _____________________________________________________________________________ I. Patch Permissions A. CERT Advisory None. B. Nature of the problem There are many patches that install into world writable directories in /system. The vulnerability is that the customize and decustomize scripts could be altered by anyone. Also the files in the orig directory could have been altered. In fact the entire orig directory could have been replaced. Nothing in the vulnerable patch directory can be trusted. C. Fixing the problem 1. As of now, all new patches are having their permissions set to safe values before they are posted. 2. We are in the process of fixing and reposting existing patches. The patch numbers will not change. This bulletin will be updated when that process is complete. 3. You should immediately examine the patch directories in /system to identify vulnerable patches. You should make sure you do not restore any of the files in a vulnerable patch directory. The "find_patch_perms" script below can be used to identify the vulnerable directories. The "remove_vulnerable" script can be used to remove the vulnerable patch directories. find_patch_perms >>/usr/adm/vulnerable_patches remove_vulnerable 4. Until the patches have been corrected and reposted, you should change the permissions to safe values. The script "fix_patch_perms" will do that. It or something similar should be executed immediately after each patch is installed. Scripts: ---------------------------------------- #!/bin/sh # "find_patch_perms" script for i in `ls -d /system/PH*_*` do g=`ll -d $i | cut -c6` o=`ll -d $i | cut -c9` #echo $i $g $o if [ $o = "w" ] then echo "$i IS vulnerable. DO NOT USE THIS DIRECTORY." else if [ $g = "w" ] then # The patch directories should have either 755 permissions (good) # or 777 (BAD). There are no known patches that have write # permissions on group that do not have write permission on # other. But to be sure, flag that case as a possible problem. echo "$i might be vulnerable." fi fi done ---------------------------------------- #!/bin/sh # "remove_vulnerable" script for i in `ls -d /system/PH*_*` do g=`ll -d $i | cut -c6` o=`ll -d $i | cut -c9` #echo $i $g $o if [ $o = "w" ] then echo "$i IS vulnerable. Removing that directory." rm -rf $i else if [ $g = "w" ] then # The patch directories should have either 755 permissions (good) # or 777 (BAD). There are no known patches that have write # permissions on group that do not have write permission on # other. But to be sure, flag that case as a possible problem. echo "$i might be vulnerable." echo "You should look at the group and consider removing " echo "the files in $i" fi fi done ---------------------------------------- #!/bin/sh # "fix_patch_perms" script if [ "$1" = "" ] then echo "This script changes the permissions on patch files" echo "and directories to safe values." echo "" echo "This script should be run immediately after the patch" echo "has been installed." echo "" echo "Usage: fix_patch_perms " echo "Example: fix_patch_perms PHSS_1234" exit 1 fi # # Remove write and execute permissions from group and other. # for i in `ls /system/$1` do echo "Before: /system/$1/$i \c" ll -d /system/$1/$i | cut -c1-10 chmod g-wx,o-wx /system/$1/$i echo "After : /system/$1/$i \c" ll -d /system/$1/$i | cut -c1-10 echo " " done # # Set the /system/PHxx_nnnn permission to 755. # echo "Before: /system/$1 \c" ll -d /system/$1 | cut -c1-10 chmod 755 /system/$1 echo "After : /system/$1 \c" ll -d /system/$1 | cut -c1-10 echo " " # # Set /system/PHxx_nnnn/orig to 500 # if [ -d /system/$1/orig ] then echo "Before: /system/$1/orig \c" ll -d /system/$1/orig | cut -c1-10 chmod 500 /system/$1/orig echo "After : /system/$1/orig \c" ll -d /system/$1/orig | cut -c1-10 echo " " fi ---------------------------------------- ----------------------------------------------------------------------- To subscribe to automatically receive NEW future HP Security Bulletins from the HP SupportLine mail service via electronic mail, send the following in the TEXT PORTION OF THE MESSAGE to support@support.mayfield.hp.com (no Subject is required): subscribe security_info To retrieve the index of all HP Security Bulletins, send the following: send security_info_list To obtain a copy of the HP SupportLine mail service user's guide, send the following: send guide.txt For security concerns, write to: security-alert@hp.com