I sent this out on Christmas Eve, but it doesn't seem to have gotten through, so I'm trying again... I've been meaning to send this out for a while, but just didn't get around to cleaning it up enough so that it could be run as a simple script on people's systems. I decided to do it now as a Christmas present to everyone who has been waiting far too long for HP to put out the patches to fix the automountd/autofs hole. I have no idea why HP, SGI, IBM (anyone else affected?) are taking so long to produce this simple fix, but whatever. Here is a fix that will work on HP-UX 10.20 and 11.0 (I haven't tested it on 11.0, but it should work) systems to block the automountd hole, so long as the loss of the executable map capability isn't a problem for you. See the comments in the script below which implements the fix. Please remember that if you install a patch that patches automountd, this fix will be wiped out, and you'll need to re-run this script to regain the protection. You will need either the HP ANSI C compiler or gcc for the script to work, the HP base/bundled C compiler can't generate position independant code. Note that while the same technique may appear to be useful to protect against buffer overflow attacks (by taking over all the exec* functions and system(), in addition to just popen()) it isn't, because while you can protect against the traditional script kiddie attack using the regular /bin/sh shellcode, it'd just require a small bit of work to change the assembly to do something like say open /etc/passwd and add a nice uid 0 account, etc. Once someone published that assembly code the "fix" would become useless. HP is adding/has added executable stack protection to HP-UX 11, and it is quite nice as it is implemented on a per binary basis. Just look at the man page for chatr(1) on a recently patched HP-UX 11 system. I don't know if all the bits required for this to work are operational yet, but I remember hearing that the next release of HP-UX 11 (due next spring I believe) includes "buffer overflow protection". Not that this would help the automountd hole but most of the holes nowadays are buffer overflows so it'll be nice that we'll be able to make them pretty much a thing of the past on HP-UX soon enough, and without the annoying tradeoffs that the Solaris/Linux style global kernel tunable require. As always, no support, warranties, guarantees that this doesn't allow easy root access on your system to the world...don't call me I'll call you, etc. Merry Christmas, Chanukah, Ramadan, Festivus, whatever you celebrate :) #!/usr/bin/sh # # This closes the HP automountd/autofs hole by creating a libc stub that takes # over the libc popen(3) function. HP's automountd uses popen to implement # executable maps, which is a new feature of autofs versus the old style # automount, but is also the way this hole is exploited. Even after it is # fixed, if you don't use executable maps you will probably sleep better if you # know executable maps have been completely disabled. Obviously if you wish to # make use of executable maps, this fix is no good to you, and you'll have to # wait for an official patch from HP, and then keep your fingers crossed and # hope there isn't another hole waiting to be exploited. # # Douglas Siebert 10/23/99 (packaged as a script 12/24/99) # # Check that you are root if [ `whoami` != "root" ]; then echo "Must be root to run this script" exit 1 fi # Change to autofs directory for this script cd /usr/lib/netsvc/fs/autofs umask 077 # Create libc stub cat > libc.c << __EOF__ #include <stdio.h> #include <syslog.h> FILE * popen(const char *command, const char *type) { syslog(LOG_ALERT, "Exploit attempted on automountd/autofs hole"); return(NULL); } __EOF__ # Compile it with cc or gcc (hopefully you've got one of them) /usr/bin/cc -c libc.c -Ae +z || gcc -c libc.c -fpic || NOCC=1 if [ "$NOCC" ]; then echo "You must have the HP ANSI/C or gcc compiler on your system" rm -f libc.c exit 1 fi rm -f libc.c # Create the stub libc with the real libc as a dependency (HP hates when you # do this) I haven't yet tested this on HP-UX 11, but it should work. if [ -x /usr/lib/libc.2 ]; then rm -f libc.2 /usr/bin/ld -b -o libc.2 libc.o /usr/lib/libc.2 chmod 555 libc.2 else rm -f libc.1 /usr/bin/ld -b -o libc.1 libc.o /usr/lib/libc.1 chmod 555 libc.1 fi rm -f libc.o # Figure out where automountd is (there are at least two possibilities -- the # latest HP-UX 10.20 patches moved some stuff around and I don't know if the # automountd binary was in /usr/sbin before or not. But in HP-UX 11 it has # moved to /usr/lib/netsvc/fs/autofs. Hopefully those are the only possible # locations) if [ -x /usr/sbin/automountd ]; then AUTOMOUNTD_DIR=/usr/sbin elif [ -x /usr/lib/netsvc/fs/autofs/automountd ]; then AUTOMOUNTD_DIR=/usr/lib/netsvc/fs/autofs fi # Save unmodified automountd binary mv -f $AUTOMOUNTD_DIR/automountd $AUTOMOUNTD_DIR/automountd.ORIG # Set up new one to obey SHLIB_PATH cp -fp $AUTOMOUNTD_DIR/automountd.ORIG $AUTOMOUNTD_DIR/automountd.mod chatr +s enable $AUTOMOUNTD_DIR/automountd.mod >/dev/null # Create shell script to replace automountd cat > $AUTOMOUNTD_DIR/automountd << __EOF__ #!/usr/bin/sh export SHLIB_PATH=/usr/lib/netsvc/fs/autofs exec $AUTOMOUNTD_DIR/automountd.mod "\$@" __EOF__ chmod 555 $AUTOMOUNTD_DIR/automountd # Assume that if new libc.x exists, we succeeded... if [ -x libc.1 -o -x libc.2 ]; then echo "Success! You must now reboot if you have autofs running" exit 0 else echo "Something went wrong, but I have no idea what" exit 1 fi -- Douglas Siebert Director of Computing Facilities douglas-siebertat_private Division of Mathematical Sciences, U of Iowa I'm not too interested in caller ID. But caller IQ, I'll pay a lot for that!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:25:10 PDT