The Information Security Resource Center (ISRC) continues to monitor messages originating from computer underground sources. Individuals identifying themselves as the "Scriptors of Doom" have posted messages to underground bulletin boards in a possible attempt to influence the solicitation of money by listing exploitable vulnerabilities of Hewlett Packard (HP) systems software. The Internet address identified as "sod@command.com.inter.net" posts, weekly, new information specifically targeting vulnerabilities of HP-UX UNIX operating systems software. Because of the intent, broad scope, and potential seriousness of this information, the ISRC has initiated preliminary efforts to determine the creditability of the malicious program in question.

This is a continuation of information collected relating to information published previously in Information Advisory Notice Number 2. In this instance the vulnerability involves Command-line Support Tool Manager (CSTM) and/or Menu-driven Support Tool Manager (MSTM) software. This software is intended to test system components, e.g., hard disks and system capabilities; random access memory (RAM). The exploitation of this vulnerability results in forcing the buffer to overflow the CSTM and/or MSTM commands. Since these commands provide access to low level system information normally requiring root privileges, the user is left in root access mode, after the flooded command fails.

The ISRC, in coordination with a Pacific Northwest National Laboratory computer scientist, confirmed the credibility of the identified HP-UX operating system weaknesses. Using a stand alone HP system, an attempt to gain root access was launched. The codes contained in the message were downloaded, compiled and ran. This action resulted in a buffer overflow, leaving the user with root privileges. The system used was running HP 9.01 version software, and "C" compiler language. However, attempts to exploit the same vulnerabilities on HP 10.0 operating software were unsuccessful.

HP systems are in wide use in the commercial and academic worlds. This is of particular interest because of the close interaction between universities and DOE national laboratories. These systems are also believed to be in place throughout the DOE complex. HP systems are normally chosen because they are superior for running UNIX platform and are very reliable. HPs are also very well suited for running scientific data, and for developing code.

That this information be coordinated with the Computer Incident Advisory Capability and that this investigation be continued in an attempt to determine if exploitation of these vulnerabilities are a potential threat to the DOE Information Assurance Infrastructure.

Security and Privacy Notice
To contact send email to ISRC
Last Updated October 2001