-- Corsaire Security Advisory --

Title: HP Ignite-UX passwd file disclosure issue
Date: 23.11.04
Application: HP Ignite-UX prior to version C.6.2.241
Environment: HP-UX
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c041123-001


-- Scope --

The aim of this document is to clearly define a vulnerability in the HP
Ignite-UX product, as supplied by HP Inc. [1], that would allow
unauthenticated access to a copy of the /etc/passwd file.


-- History --

Discovered: 23.11.04 (Martin O'Neal)
Vendor notified: 23.11.04
Document released: 16.08.05


-- Overview --

The HP Ignite-UX application "addresses the need for HP-UX system
administrators to perform system installations and deployment, often on
a large scale" [2]

As part of the installation process, the product can install and enable
a TFTP server to facilitate anonymous access to configuration data. In
certain circumstances, a copy of the /etc/passwd file will be moved into
the TFTP server tree and made available for anonymous access.


-- Analysis --

The HP Ignite-UX can use a TFTP server to facilitate anonymous access to
configuration data. When the make_recovery command is used, a copy of
the /etc/passwd file will be created in the TFTP server tree and made
available for anonymous access.

As of version B.3.2 of the product, the make_recovery command has been
depreciated in preference for the make_tape_recovery command (which
doesn't display the same issues), and as of version C.6.0 the
make_recovery command does not exist in the product at all. However, if
at any point make_recovery has been run on the host, a copy of the
/etc/passwd file may still remain within the TFTP server tree.


-- Proof of Concept -

Use a TFTP client to request the file referenced by the following path:

       /var/opt/ignite/recovery/passwd.makrec


-- Recommendations --

Download and apply the HP Ignite-UX version C.6.2.241 patches.

Replace all usage of the make_recovery command with make_tape_recovery.

If in any doubt, disable the TFTP server.


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004- 0951 to this issue. This is a candidate for inclusion in
the CVE list (https://cve.mitre.org), which standardises names for
security problems.


-- References --

[1] https://www.hp.com
[2] https://software.hp.com/products/IUX/overview.html


-- Revision --

a. Initial release.
b. Released.

-- Distribution --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.

A free guide to selecting a security assessment supplier is available at
https://www.penetration-testing.com


Copyright 2005 Corsaire Limited. All rights reserved.