[19665] in bugtraq
Re: Solaris 5.8 snmpd Vulnerability
daemon@ATHENA.MIT.EDU (Rob Bartlett - HES CTE)
Thu Mar 15 13:10:52 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <200103151057.KAA23599@montgomery.UK.Sun.COM>
Date: Thu, 15 Mar 2001 10:57:51 +0000
Reply-To: Rob Bartlett - HES CTE <rb124078@MONTGOMERY.UK.SUN.COM>
From: Rob Bartlett - HES CTE <rb124078@MONTGOMERY.UK.SUN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from Pablo Sor <psor@AFIP.GOV.AR> of "Tue, 13 Mar 2001
07:34:40 -0400." <3AAE05D0.C55CA0C3@afip.gov.ar>
psor@AFIP.GOV.AR said:
> The /opt/SUNWssp/snmpd command (SNMP proxy agent) is suid root and
> contains a buffer overflow, the problem occurs when it copy his own
> name (argv[0]) to an internal variable without checking out its lenght
> and this causes the overflow.
This package is not part of a standard install, it would only be loaded on the
SSP of an E10K which if recommended practice is followed would be on a
controlled admin network, and would only allow access to the users ssp, root
and perhaps application ID's like patrol. The reason it is setuid is that it
is normally started by the user ssp and needs to access privileged ports.
The variable which gets overwritten is static so it would be extremely
difficult if not impossible to exploit. The best you can do is cause the
invoked snmpd to fail.
That having been said, I have logged a bug (Id: 4425460) so the problem will
be fixed in future releases.
Regards,
Rob
--
Sun Microsystems HES-CTE Weave a circle round him thrice,
mailto: Rob.Bartlett@UK.Sun.COM And close your eyes with holy dread,
Tel: +44 1276-455-299 For he on honey-dew hath fed,
Mobile: +44 7710-901-701 And drunk the milk of Paradise.
