HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

111

112

113

114

115

116

117

118

119

120

Table 15 Argument with Nonprintable Character Alert Properties (continued)

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse Program

Argument

The user ID, group ID, process ID,

and parent process ID of the

uid=<uid>, gid=<gid>,

pid=<pid>, ppid=<ppid>

StringAttackerargv[5]

process that executed a

privileged setuid program with

an argument that contains a

nonprintable character

The full path name of the setuid

program the attacker executed

file=<full pathname>,

type=<type>,

mode=<mode>, uid=<uid>,

StringTarget of attackargv[6]

with an argument that contains a

gid=<gid>, inode=<inode>,

device=<device>

nonprintable character and the

program’s type mode, uid, gid,

inode, and device number

Alert summaryPotential buffer overflow

detected

StringSummaryargv[7]

Detailed alert descriptionPotential buffer overflow

attack by process with pid

StringDetailsargv[8]

<pid> and ppid <ppid> when

executing <program>(type=

<type>, inode=<inode>,

device=<device), invoked as

follows: <argv[0]><argv[1]>

contains non-printable

characters.

The event that triggered the alert.nullStringEventargv[9]

NOTE: Table 41 (page 150) in Appendix B for the definition of additional arguments, that can

be used to access specific alert information (for example, pid and ppid) without parsing the string

alert fields above.

Limitations

The Buffer Overflow template has the following limitations:

• The template does not detect whether a buffer overflow attack was successful. It only detects

that one might have been attempted.

• The template only reports exec-on-stack buffer overflow attacks on HP-UX 11i when exec-on-stack

protection is enabled.

Race Condition Template

The vulnerability addressed by this template

Some attacks use the time between a program’s check of a file and the time that the program uses

that file. The race condition is sometimes referred to as the Time-To-Check-To-Time-To-Use (TOCTTOU)

vulnerability. For instance, a mail delivery program checks to see if a file exists before it changes

ownership of the file to the intended recipient. If an attack can change the file reference between

these two steps, it can cause the program to change the ownership of an arbitrary file.

Certain TOCTTOU attacks against privileged setuid scripts use the time between the kernel

determining that program is a privileged script and spawns an interpreter with privilege, and the

interpreter opening the script to execute it. If an attacker can change the file reference between

these two steps, it can cause the interpreter to execute an arbitrary script with privilege. An attacker

can exploit the vulnerability by repeatedly executing a privileged setuid script with a symbolic

link, where the symbolic link is constantly being changed from pointing to the privileged script to

pointing to the attacker’s own attack script. Starting with HP-UX 11i v1.6, a kernel tunable parameter

called secure_sid_scripts (5) was introduced with a default value that indicates that the

Race Condition Template 115