[11034] in bugtraq
Re: Root Perms Gained with Patrol SNMP Agent 3.2 (all others?)
daemon@ATHENA.MIT.EDU (Symon Aked)
Thu Jul 15 20:44:09 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <199907150352.NAA20780@aspen.start.com.au>
Date: Thu, 15 Jul 1999 03:51:24 "GMT"
Reply-To: Symon Aked <symon@START.COM.AU>
From: Symon Aked <symon@START.COM.AU>
X-To: "BUGTRAQ@SECURITYFOCUS.COM" <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
I tested the boxes I have under my command for this prob, and got the
following results:
AIX 4.2.1 - running Patrol 3.1 (AIX3.2-RS) - doesnt have snmpmagt.
AIX 4.2.1 - running Patrol 3.22 (AIX4.1-RS) - file created.
Solaris 2.5.1 - running Patrol 3.2 (Solaris25-sun4) - file created.
HP-UX 10.01 - running Patrol 3.2 (HPUX-PA1.1-V10) - file created.
> note: if the file exists it keeps the same perms, otherwise creates it
> with perms based on your umask and chown's to whoever owns the parent
> directory of the file you're creating. if the file exists it overwrites it
> with "i^A" then the result of gethostname() and some whitespace. this
> problem is not platform dependent and was tested based on out of box
> install on an HP.
Hmmmmm - I cant seem to replicate the directory-owner prob. It seems to me
that snmpmagt creates the desired file with the owner set to the same as
the owner of snmpmagt. Here's a quick test I ran:
"
root@fish # pwd
/export/home/patrol/PATROL3.2/Solaris25-sun4/bin
root@fish # ls -al ./snmpmagt
-rwsr-xr-x 1 root staff 120364 Aug 26 1997 ./snmpmagt
root@fish # mkdir /symon/patroltest
root@fish # chmod 777 /symon/patroltest
root@fish # ls -al /symon | egrep "patroltest"
drwxrwxrwx 2 root other 512 Jul 15 11:39 patroltest
root@fish # umask 0
root@fish # ./snmpmagt cheese.cheese /symon/patroltest/cheese
cheese.cheese: No such file or directory
smux bind failure: Address already in use
./snmpmagt: error processing configuration
root@fish # ls -al /symon/patroltest/cheese
-rw-rw-rw- 1 root other 770 Jul 15 11:40 /symon/patroltest/cheese
root@fish # chown patrol ./snmpmagt
root@fish # ./snmpmagt cheese.cheese /symon/patroltest/cheese.2
cheese.cheese: No such file or directory
snmp bind failure: Permission denied
smux bind failure: Permission denied
./snmpmagt: error processing configuration
root@fish # ls -al /symon/patroltest
total 8
drwxrwxrwx 2 root other 512 Jul 15 11:41 .
drwxr-xr-x 5 root other 1024 Jul 15 11:39 ..
-rw-rw-rw- 1 root other 770 Jul 15 11:40 cheese
-rw-rw-rw- 1 patrol other 770 Jul 15 11:41 cheese.2
"
- Symon Aked (symon at start dot com dot au)...
__________________________________________________________________
Get your free Australian email account at http://www.start.com.au/
