[12914] in bugtraq
Solaris WBEM 1.0: plaintext password stored in world readable file
daemon@ATHENA.MIT.EDU (Michael Gerdts)
Fri Dec 10 11:17:46 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991206113245.C29162@cae.wisc.edu>
Date: Mon, 6 Dec 1999 11:32:46 -0600
Reply-To: Michael Gerdts <gerdts@CAE.WISC.EDU>
From: Michael Gerdts <gerdts@CAE.WISC.EDU>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
A while back I was looking at Sun's WBEM (Web-Based Enterprise Management)
and noticed that the preinstall script asked for a password. According to
the way that Sun's packaging works, for the password to be used during the
installation the password would need to be stored in a file. Sure 'nuf--
it was stored in /var/sadm/pkg/SUNWwbcor/pkginfo. If you have installed
WBEM and have not changed the admin password, I suggest changing the
password.
I have reported this bug to Sun. My report and Sun's response appear
below. I see no indication at http://www.sun.com/solaris/wbem/ that a new
version is available. It does appear (from a bug report in the Sunsolve
database) that the Solaris 8 beta includes WBEM 2.0.
Without authenticating, a search for wbem at http://sunsolve.sun.com/
reveals no documents unless I authenticate with my support login and
password. Using my support login, I still can find no mention of this
installation bug.
Jim-- is there any word on a publicly available fix for this? When will
Sun release a security patch related to this? Since everyone had to
register to download a copy of WBEM 1.0, will Sun send an announcement to
those that downloaded it notifying them of the vulernability?
Mike
----- Forwarded message from Jim Davis <james.d.davis@east.sun.com> -----
Date: Fri, 05 Nov 1999 14:13:43 -0500
From: Jim Davis <james.d.davis@east.sun.com>
To: Michael Gerdts <gerdts@cae.wisc.edu>
CC: wbem-interest@Sun.COM
Subject: Re: SECURITY: plaintext admin password stored in world readable file
Hi Mike,
This is no longer asked in the latest version. This version will be posted
to the web in the next 3 - 4 weeks,
Jim Davis
Michael Gerdts wrote:
> During the installation of SUNWwbcor 1.0, the installer is prompted for a
> password by the package's request script. That password is then stored in
> plain text in /var/sadm/pkg/SUNWwbcor/pkginfo, which is a world-readable
> file. This seems to be a necessary evil, given the specifications of the
> Solaris software packaging scheme.
>
> Please add a step to the installation instructions that explains this
> vulernability and instructs people to change the admin password.
>
> Mike
>
> --
> Mike Gerdts
> UNIX Systems Administrator
> Computer-Aided Engineering Center
> University of Wisconsin - Madison
----- End forwarded message -----
--
Mike Gerdts
UNIX Systems Administrator
Computer-Aided Engineering Center
University of Wisconsin - Madison
