|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability
From: loveyou
DOGFOOT.HACKERSLAB.ORGDate: Wed Jun 07 2000 - 00:11:48 CDT
- Next message: Sergio Bruder: "Conectiva Linux Security Announcement - gdm"
- Previous message: Technical Support: "(no subject)"
- Next in thread: Chris Calabrese: "Re: [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability"
- Reply: Chris Calabrese: "Re: [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability"
- Reply: Chris Calabrese: "Re: [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
================================================================================
[ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability
================================================================================
File : /usr/sbin/snmpdm
SYSTEM : HP-UX 11.00
Tested by HP-UX B.11.00 A
INFO :
Snmpdm : Simple Network Management Protocol (SNMP) Daemon
When SNMP daemon is started, it creates a temporary file and change
the permission of setup-file.
even investigate reporting this to them first? My turnaround on patching <=¿©±â±îÁö
1. The creation of temporary file of SNMP daemon
when the snmpd daemon is started, it creates /tmp/snmpd.log file with
an privilege of root. Unfortunately the file contains 777 permition.
$ ls -al /tmp/snmpd.log
-rwxrwxrwx 1 root sys 23 Jun 4 01:23 /tmp/snmpd.log
2. The permission for the set-up file of SNMP daemon
/etc/SnmpAgent.d/snmpd.conf file - the setup file of SNMP daemon is world writable.
$ ls -al /etc/SnmpAgent.d/snmpd.conf
-rw-rw-rw- 1 root sys 6959 Jun 3 21:03 /etc/SnmpAgent.d/snmpd.conf
You can create a file using a simple symbolic link, and you can obtain
the root by inserting trap program.
The /tmp/snmpd.log file is created, even if the logfile is specified by -I option
# /usr/sbin/snmpdm -l /etc/snmpd.log
SNMP Research SNMP Agent Resident Module Version 14.0.1.0
Copyright 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996 SNMP Research, Inc.
# ls -al /etc/snmpd.log
-rw-rw-rw- 1 root sys 83 Jun 4 01:27 /etc/snmpd.log
# ls -al /tmp/snmpd.log
-rwxrwxrwx 1 root sys 23 Jun 4 01:27 snmpd.log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SOLUTION
The best way is to disable SNMP daemon, because there is no patch available
from HP currently.
# diff /etc/rc.config.d/SnmpMaster.orig /etc/rc.config.d/SnmpMaster
43c43
< SNMP_MASTER_START=1 # Start the master SNMP agent.
--- > SNMP_MASTER_START=0 # Start the master SNMP agent.And make sure to close the directory permission for the set-up file of SNMP daemon. Because the permission for /etc/SnmpAgent.d/snmpd.conf file is changed as 666 mode whenever snmp daemon is excuted.
chmod 700 /etc/SnmpAgent.d
==-------------------------------------------------------------------------------== ******** * ** ** * * ** ** * * ****** * * ** ** * loveyou
- Next message: Sergio Bruder: "Conectiva Linux Security Announcement - gdm"
- Previous message: Technical Support: "(no subject)"
- Next in thread: Chris Calabrese: "Re: [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability"
- Reply: Chris Calabrese: "Re: [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability"
- Reply: Chris Calabrese: "Re: [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]