[15237] in bugtraq
[ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability
daemon@ATHENA.MIT.EDU (loveyou@DOGFOOT.HACKERSLAB.ORG)
Thu Jun 8 03:20:32 2000
Message-Id: <200006070511.OAA05492@dogfoot.hackerslab.org>
Date: Wed, 7 Jun 2000 14:11:48 +0900
Reply-To: loveyou@DOGFOOT.HACKERSLAB.ORG
From: loveyou@DOGFOOT.HACKERSLAB.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
================================================================================
[ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability
================================================================================
File : /usr/sbin/snmpdm
SYSTEM : HP-UX 11.00
Tested by HP-UX B.11.00 A
INFO :
Snmpdm : Simple Network Management Protocol (SNMP) Daemon
When SNMP daemon is started, it creates a temporary file and change
the permission of setup-file.
even investigate reporting this to them first? My turnaround on patching <=?)1b1nAv
1. The creation of temporary file of SNMP daemon
when the snmpd daemon is started, it creates /tmp/snmpd.log file with
an privilege of root. Unfortunately the file contains 777 permition.
$ ls -al /tmp/snmpd.log
-rwxrwxrwx 1 root sys 23 Jun 4 01:23 /tmp/snmpd.log
2. The permission for the set-up file of SNMP daemon
/etc/SnmpAgent.d/snmpd.conf file - the setup file of SNMP daemon is world writable.
$ ls -al /etc/SnmpAgent.d/snmpd.conf
-rw-rw-rw- 1 root sys 6959 Jun 3 21:03 /etc/SnmpAgent.d/snmpd.conf
You can create a file using a simple symbolic link, and you can obtain
the root by inserting trap program.
The /tmp/snmpd.log file is created, even if the logfile is specified by -I option
# /usr/sbin/snmpdm -l /etc/snmpd.log
SNMP Research SNMP Agent Resident Module Version 14.0.1.0
Copyright 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996 SNMP Research, Inc.
# ls -al /etc/snmpd.log
-rw-rw-rw- 1 root sys 83 Jun 4 01:27 /etc/snmpd.log
# ls -al /tmp/snmpd.log
-rwxrwxrwx 1 root sys 23 Jun 4 01:27 snmpd.log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SOLUTION
The best way is to disable SNMP daemon, because there is no patch available
from HP currently.
# diff /etc/rc.config.d/SnmpMaster.orig /etc/rc.config.d/SnmpMaster
43c43
< SNMP_MASTER_START=1 # Start the master SNMP agent.
---
> SNMP_MASTER_START=0 # Start the master SNMP agent.
And make sure to close the directory permission for the set-up file of SNMP daemon.
Because the permission for /etc/SnmpAgent.d/snmpd.conf file is changed as 666 mode
whenever snmp daemon is excuted.
chmod 700 /etc/SnmpAgent.d
==-------------------------------------------------------------------------------==
********
* ** ** *
* ** ** *
* ****** *
* ** ** * loveyou@hackerslab.org
* ** ** * [ http://www.hackerslab.org ]
******** HACKERSLAB (C) since 1999
==-------------------------------------------------------------------------------==
