Topic: HP-UX libc NLSPATH Environment Variable Privilege Elevation Vulnerability

Release Date: 2003-11-13

CVE CAN ID : CVE-2000-0844

Affected system:
==============
- HP-UX B.11.00
- HP-UX B.11.11

Impact:
======

NSFOCUS Security Team has found that the libc in HP-UX cannot restrict the NLSPATH variable used by suid root program, which causes a format string vulnerability. Exploiting the vulnerability local attacker could gain root privilege.

Description:
==========

Many programs in HP-UX use catopen()/catgets() and other functions in libc to display localized information. When catopen() has detected the environment variable NLSPATH, it will open the specified file and read messages from it.

However, catopen() doesn't restrict the suid root program uses NLSPATH, which allows local attackers to set NLSPATH variable and specify a locale file crafted by themselves. When the suid root program uses catopen() to open the message file and passes the data from it to *printf(), it might cause a format string vulnerability.

Any suid root program that uses catopen()/catgets() is vulnerable. By exploiting the vulnerability local attackers could gain root privilege.

According to the test, at least the following programs are vulnerable:

-r-sr-xr-x 1 root bin 45056 Nov 14 2000 /usr/bin/at
-r-sr-xr-x 1 root bin 24576 Nov 14 2000 /usr/bin/crontab
-r-sr-xr-x 1 root bin 45056 Nov 14 2000 /usr/bin/ct
-r-sr-xr-x 1 root bin 36864 Apr 19 2001 /usr/bin/cu
-r-sr-xr-x 1 root bin 20480 Nov 14 2000 /usr/lbin/exrecover
-r-sr-xr-x 1 root bin 40960 Aug 16 2001 /usr/bin/lp
-r-sr-sr-x 2 root mail 45056 Nov 14 2000 /usr/bin/mail
-r-sr-xr-x 5 root bin 45056 Nov 14 2000 /usr/bin/passwd
-r-sr-xr-x 1 root bin 24576 Nov 14 2000 /usr/bin/su
-r-sr-xr-x 11 root bin 1921024 Nov 6 2001 /usr/sbin/swinstall
-r-sr-xr-x 2 root bin 1028096 Nov 6 2001 /usr/sbin/swpackag

Workaround:
===========
NSFOCUS suggests to temporarily remove the suid root bit for all the programs. However, it might brings about many inconvenience. You are suggested to apply the appropriate patch at the earliest possibility.

Vendor Status:
============

2002.11.19 Informed the vendor
2002.12.05 Vendor confirmed the vulnerability
2003.11.05 Vendor released a security bulletin (HPSBUX0311-294) and relative patches for the vulnerability.

Detailed information for the HP security bulletin is available at:
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0311-294

Note: Valid ITRC account is required for the link above.

Patch ID:

HP-UX B.11.22 PHCO_29329
HP-UX B.11.11 PHCO_29495
HP-UX B.11.00 PHCO_29284
HP-UX B.10.20 PHCO_26158

Additional Information:
==================

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0090 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries.

Credit:
=====

Yang Jilong of NSFOCUS Security Team found the vulnerability.