HPE Community
Operating System - HP-UX
1835961 Members
2102 Online
110088 Solutions
New Discussion

Possible to way to get into root account

 
SOLVED
Go to solution
S. Singaravelu
Occasional Advisor

‎12-24-2001 02:35 AM

‎12-24-2001 02:35 AM

Possible to way to get into root account

Hi HP Experts,

As an HP-UX administrator, I am new to 11.X.
I have critical billing system running in our premises. My problem is that is there any new way found by attackers on getting into HP-UX 11
except using the following ways
setuid programs
copying /usr/bin/sh
using esacpe sequences in HPterm

If any of you know about any other method, which is most likely going to destroy/ lead to provide a backdoor option, please mail me.
I just want to get rid of from known security holes.

Thanks bussy
singaravelu
I want to remove the word "impossible" from the dictionary
0 Kudos
Reply
8 REPLIES 8
Alex Glennie
Honored Contributor

‎12-24-2001 03:42 AM

‎12-24-2001 03:42 AM

Re: Possible to way to get into root account

http://www.cert.org/advisories/ maybe of use ?

see http://www.cert.org/tech_tips/unix_configuration_guidelines.html inparticular
0 Kudos
Reply
S. Singaravelu
Occasional Advisor

‎12-24-2001 04:33 AM

‎12-24-2001 04:33 AM

Re: Possible to way to get into root account

What I exactly want to know is that 'is there any known security whole, which can get anybody into root account in HP-UX 11.x (specifically).
I want to remove the word "impossible" from the dictionary
0 Kudos
Reply
Jeff Machols
Esteemed Contributor

‎12-24-2001 05:32 AM

‎12-24-2001 05:32 AM

Re: Possible to way to get into root account

This is the big one that just came out, you can overflow the login buffer and get a root shell. Here is the patch for it

http://us-support.external.hp.com/wpsl/bin/doc.pl/screen=wpslDisplayPatch/sid=289d684717abea1e28?PATCH_PATH=/hp-ux_patches/s700_800/11.X/PHCO_25590&HW=s800&OS=11.00
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎12-24-2001 05:36 AM

‎12-24-2001 05:36 AM

Solution

Re: Possible to way to get into root account

singaravelu,

Have a look at this document, to "fortify" (bastion) your host:

http://people.hp.se/stevesk/bastion11.html

live free or die
harry
Live Free or Die
Reply
Chris Vail
Honored Contributor

‎12-27-2001 01:21 PM

‎12-27-2001 01:21 PM

Re: Possible to way to get into root account

I took the HP Education course on Unix Security
http://www.hp.com/education/courses/h3541s.html

I strongly recommend it. The other folks have given good advice, but this will help out a lot for HP and Unix in general.


Chris
0 Kudos
Reply
Mark Greene_1
Honored Contributor

‎12-27-2001 01:30 PM

‎12-27-2001 01:30 PM

Re: Possible to way to get into root account

look here to see ways to improve security with inetd:

http://www.uwsg.indiana.edu/security/inetd.html

several of the inetd services allow for transfer of files to the system, so the possibility exists for someone to drop a script or executable on your system in place of a regular system command and thus gain entrance.

--
mark
the future will be a lot like now, only later
0 Kudos
Reply
John Bolene
Honored Contributor

‎12-27-2001 01:30 PM

‎12-27-2001 01:30 PM

Re: Possible to way to get into root account

Hopefully you have physical security already handled.

The easiest way to get into an HPUX server as root is to boot the machine and get into the ISL and from there into single user mode. Root password can be changed now or add your own userid to the password file as UID 0.
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎12-27-2001 05:12 PM

‎12-27-2001 05:12 PM

Re: Possible to way to get into root account

Hi,

There are basically two main types of root compromise:
1) remote root compromise
2) local root compromise

Recently there had been quite a number of security vulnerabilities with remote root compromise threats such as that for login and lpd daemon buffer overflow. In the beginning of this year, there was also a root compromise threat for unpatched omniback versions 3.0 and older.

Some security measures I can think of my head:

1) Remove all unnecessary network services if you are not using them eg. sendmail, chargen, echo etc. Replace unencrypted services with its encrypted equivalent eg. telnet with ssh, ftp with sftp etc. You can also tunnel sensitive traffic over ssh. Restrict your su command etc. Always base on a need-to-know and need-to-use strategy.

2) For minimal C2 security, ensure that your server has been converted to trusted via tsconvert -c. Adopt strong password policies. Check your umask. Look out for writeable files as well apart for setuid/setgid files.

3) Check that your security patches are up-to-date.

4) Remove unnecessary setuid files.

5) Install tripwire or use HP-UX's production definition files (pdfchk, pdfdiff etc) to verify that your files are tamper-free. Always make sure you have a healthy set of checksums to compare with. This will also look out for trapdoors. The issue however is that you need to make sure that the tripwire, pdfchk etc binaries are tamper-free in the first place as well :)

6) Subscribe to HP-UX Security Bulletin and CERT or SANS advisories.

7) Periodically perform network-based and host-based security audits on your system. One good network-based security audit tool is Nessus which comes free.

8) Install host-based and network-based firewalls and IDSes and finetune them properly to remove false positives.

9) Monitor the performance and health of your system closely for any anomalies. Remember to set baselines for acceptable system behaviour. Trigger off an alarm if any baselines are breached.

10) Physical security is important as has already been mentioned in above responses. Are your disks hot-swappable disks that are easily detachable? Is there CCTV monitoring?

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.