[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Security Vulnerability in chfn executable

Title: Security Vulnerability in chfn executable
Released by: HP
Date: 1st September 1997
Printable version: Click here

Document Id: [HPSBUX9701-049]

Date Loaded: [01-09-97]

Description: Security Vulnerability in chfn executable


- -------------------------------------------------------------------------

       HEWLETT-PACKARD SECURITY BULLETIN: #00049, 09 January 1997

- -------------------------------------------------------------------------

The information in the following Security Bulletin should be acted upon

as soon as possible.  Hewlett Packard will not be liable for any

consequences to any customer resulting from customer's failure to fully

implement instructions in this Security Bulletin as soon as possible.

- -------------------------------------------------------------------------

PROBLEM:  Security vulnerability in the chfn executable

PLATFORM: HP 9000 Series 700/800s running versions of HP-UX 9.X & 10.X

DAMAGE:   Vulnerabilities exists allowing local users to gain root


SOLUTION: Apply patch:

          PHCO_9595 for all platforms with HP-UX releases 9.X

          PHCO_9596 for all platforms with HP-UX releases 10.00/10.01/10.10

          PHCO_9597 for all platforms with HP-UX releases 10.20

AVAILABILITY:  All patches are available now.

- -------------------------------------------------------------------------


   A. Background

      A vulnerability with the chfn command (/usr/bin/chfn) has been


   B. Fixing the problem

      The vulnerability can be eliminated from HP-UX releases 9.X and

      10.X by applying the appropriate patch.

   C. Recommended solution

      1.  Determine which patch are appropriate for your operating


      2.  Hewlett-Packard's HP-UX patches are available via email

          and the World Wide Web

          To obtain a copy of the Hewlett-Packard SupportLine email

          service user's guide, send the following in the TEXT PORTION

          OF THE MESSAGE to support@us.external.hp.com (no Subject

          is required):

                               send guide

          The users guide explains the HP-UX patch downloading process

          via email and other services available.

          World Wide Web service for downloading of patches

          is available via our URL:


      3.  Apply the patch to your HP-UX system.

      4.  Examine /tmp/update.log (9.X), or /var/adm/sw/swinstall.log

          (10.X), for any relevant WARNING's or ERROR's.

   D. Impact of the patch

      The patches for HP-UX releases 9.X and 10.X provide enhancements

      to the chfn executable to avoid this vulnerability.

   E. To subscribe to automatically receive future NEW HP Security

      Bulletins from the HP SupportLine Digest service via electronic

      mail, do the following:

      1)  From your Web browser, access the URL:

      http://us-support.external.hp.com (US,Canada,

      Asia-Pacific, and Latin-America)

      http://europe-support.external.hp.com  (Europe)

      2)  On the HP Electronic Support Center main screen, select

      the hyperlink "Support Information Digests".

      3)  On the "Welcome to HP's Support Information Digests" screen,

      under the heading "Register Now", select the appropriate hyperlink

      "Americas and Asia-Pacific", or "Europe".

      4)  On the "New User Registration" screen, fill in the fields for

      the User Information and Password and then select the button labeled

      "Submit New User".

      5)  On the "User ID Assigned" screen, select the hyperlink

      "Support Information Digests".

      ** Note what your assigned user ID and password are for future


      6)  You should now be on the "HP Support Information Digests Main"

      screen.  You might want to verify that your email address is correct

      as displayed on the screen.  From this screen, you may also

      view/subscribe to the digests, including the security bulletins


      To get a patch matrix of current HP-UX and BLS security

       patches referenced by either Security Bulletin or Platform/OS,

       click on following screens in order:

         Technical Knowledge Database

         Browse Security Bulletins

         Security Bulletins Archive

         HP-UX Security Patch Matrix

   F. To report new security vulnerabilities, send email to


      Please encrypt any exploit information using the security-alert

      PGP key, available from your local key server, or by sending a

      message with a -subject- (not body) of 'get key' (no quotes) to


   Permission is granted for copying and circulating this Bulletin to

   Hewlett-Packard (HP) customers (or the Internet community) for the

   purpose of alerting them to problems, if and only if, the Bulletin is

   not edited or changed in any way, is attributed to HP, and provided

   such reproduction and/or distribution is performed for non-commercial


   Any other use of this information is prohibited.  HP is not liable

   for any misuse of this information by any third party.


(C) 1999-2000 All rights reserved.