OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Rob Bartlett - HES CTE (rb124078MONTGOMERY.UK.SUN.COM)
Date: Thu Mar 15 2001 - 04:57:51 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    psorAFIP.GOV.AR said:
    > The /opt/SUNWssp/snmpd command (SNMP proxy agent) is suid root and
    > contains a buffer overflow, the problem occurs when it copy his own
    > name (argv[0]) to an internal variable without checking out its lenght
    > and this causes the overflow.

    This package is not part of a standard install, it would only be loaded on the
    SSP of an E10K which if recommended practice is followed would be on a
    controlled admin network, and would only allow access to the users ssp, root
    and perhaps application ID's like patrol. The reason it is setuid is that it
    is normally started by the user ssp and needs to access privileged ports.

    The variable which gets overwritten is static so it would be extremely
    difficult if not impossible to exploit. The best you can do is cause the
    invoked snmpd to fail.

    That having been said, I have logged a bug (Id: 4425460) so the problem will
    be fixed in future releases.

    Regards,

    Rob

    --
    Sun Microsystems HES-CTE          Weave a circle round him thrice,
    mailto: Rob.BartlettUK.Sun.COM     And close your eyes with holy dread,
    Tel: +44 1276-455-299               For he on honey-dew hath fed,
    Mobile: +44 7710-901-701          And drunk the milk of Paradise.