<<< Date Index >>>     <<< Thread Index >>>

Re: PS Information Leak on HP True64 Alpha OSF1 v5.1 1885



On Tue, 6 Feb 2007, Andrea "bunker" Purificato wrote:
[After months of silence from the "HP Software Security Response Team"]


-Type: Information leak
-Risk: low
-Author: Andrea "bunker" Purificato - http://rawlab.mindcreations.com

-Description: the "ps" command (also /usr/ucb/ps) on HP OSF1 v5.1 Alpha,
developed without an eye to security, allows unprivileged users to see
values of all processes environment variables.

It's something similar to "raptor_ucbps" (by Marco Ivaldi) for Solaris.

I've tested it only on OSF1 v5.1 1885.
If you remove bit suid from executable, "ps" doesn't work correctly.

-Code: http://rawlab.mindcreations.com/codes/exp/nix/osf1true64ps.ksh

Your post reminded me of something I had read in some program's documentation many moons ago.

Quote from the Postgres documentation:
"PGPASSWORD sets the password used if the server demands password authentication. Use of this environment variable is not recommended for security reasons (some operating systems allow non-root users to see process environment variables via ps); instead consider using the ~/.pgpass file (see Section 29.13)."


I kind of wonder if they are specifically refering to Tru64, or if there are others too. I would guess the behavior you just discovered has been known for a long time.

Ivan

PS: Why should ps to work correctly without the setuid bit?