[9690] in bugtraq
Re: snap utility for AIX.
daemon@ATHENA.MIT.EDU (J. Barber)
Sat Feb 20 17:03:00 1999
Date: Fri, 19 Feb 1999 22:55:26 -0800
Reply-To: "J. Barber" <jab@LINKLINE.COM>
From: "J. Barber" <jab@LINKLINE.COM>
X-To: Brian Hauber <hauber@AUSTIN.IBM.COM>
To: BUGTRAQ@NETSPACE.ORG
Seeing that snap uses the /tmp/ibmsupt/general directory. I created the directory as a normal user first on AIX 4.2.1. Then I did a touch on /tmp/ibmsupt/general/passwd. Once the passwd file was created I then did tail -f /tmp/ibmsupt/general/passwd. In another session I logged in as root and ran snap -a. This caused the contents of the /etc/security/passwd to show up in my tail command.
The way I see it, this could be a major security breach. I suggest not using snap.
-----Original Message-----
From: Brian Hauber [SMTP:hauber@AUSTIN.IBM.COM]
Sent: Friday, February 19, 1999 5:51 PM
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: snap utility for AIX.
On Wed, Feb 17, 1999 at 10:17:08AM -0500, Larry W. Cashdollar wrote:
> My friend actually brought this to my attention, the snap command is a
> diagnostic utlitiy for gathering system information on AIX platforms.
> It can only be executed by root, but it copies various system files into
> /tmp/ibmsupt/
> under /tmp/ibmsupt/general/ you will find the passwd file with cyphertext.
> The danger here is if a system administrator executes snap -a as sometimes
> requested by IBM support while diagnosing a problem it defeats password
> shadowing. I would think that snap would create the directory 700
> root:root.
Yes, /tmp/ibmsupt is created with 755 permissions however what you
neglected to check was the permissions on /tmp/ibmsupt/general/passwd
I took the liberty of running 'snap -a' on our systems here at varying
levels and here are the results:
-------------------------------------------------------------------------------
3.2.5.1 with 3.2.5.1-02 Maintenance Level
# ls -ld /tmp/ibmsupt
drwxr-xr-x 17 root system 512 Feb 18 02:08 /tmp/ibmsupt/
HOWEVER
# ls -ld /tmp/ibmsupt/general/passwd
-rw------- 1 root security 1585 Feb 9 05:45 /tmp/ibmsupt/general/passwd
-------------------------------------------------------------------------------
4.1.5 BASE
# ls -ld /tmp/ibmsupt
drwxr-xr-x 15 root system 512 Feb 18 14:05 /tmp/ibmsupt/
HOWEVER
# ls -ld /tmp/ibmsupt/general/passwd
-rw------- 1 root security 645 Feb 15 15:22 /tmp/ibmsupt/general/passwd
-------------------------------------------------------------------------------
4.1.5 with 4.1.5-01 Maintenance Level
# ls -ld /tmp/ibmsupt
drwxr-xr-x 15 root system 512 Feb 18 14:05 /tmp/ibmsupt/
HOWEVER
# ls -ld /tmp/ibmsupt/general/passwd
-rw------- 1 root system 2183 Feb 18 10:09 /tmp/ibmsupt/general/passwd
--------------------------------------------------------------------------------
4.2.1 BASE
# ls -ld /tmp/ibmsupt
drwxr-xr-x 15 root system 512 Feb 18 14:05 /tmp/ibmsupt/
HOWEVER
# ls -ld /tmp/ibmsupt/general/passwd
-rw------- 1 root security 645 Feb 15 15:22 /tmp/ibmsupt/general/passwd
--------------------------------------------------------------------------------
4.2.1 with 4.2.1-03 Maintenance Level
# ls -ld /tmp/ibmsupt
drwxr-xr-x 15 root system 512 Feb 18 14:05 /tmp/ibmsupt/
HOWEVER
# ls -ld /tmp/ibmsupt/general/passwd
-rw------- 1 root security 645 Feb 15 15:22 /tmp/ibmsupt/general/passwd
--------------------------------------------------------------------------------
4.3.1 BASE
# ls -ld /tmp/ibmsupt
drwxr-xr-x 18 root system 512 Feb 18 12:03 /tmp/ibmsupt/
HOWEVER
# ls -ld /tmp/ibmsupt/general/passwd
-rw------- 1 root security 1210 Feb 18 10:55 /tmp/ibmsupt/general/passwd
--------------------------------------------------------------------------------
4.3.2 BASE
# ls -ld /tmp/ibmsupt
drwx------ 18 root system 512 Feb 18 14:02 /tmp/ibmsupt/
--------------------------------------------------------------------------------
This "problem" seems to have been fixed at 4.3.2.
--
Brian Hauber | AIX Support Line | E-mail: hauber@austin.ibm.com
