[15287] in bugtraq
Re: [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability
daemon@ATHENA.MIT.EDU (Chris Calabrese)
Sat Jun 10 02:46:28 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000608192009.8053.qmail@web219.mail.yahoo.com>
Date: Thu, 8 Jun 2000 12:20:09 -0700
Reply-To: Chris Calabrese <chris_calabrese@YAHOO.COM>
From: Chris Calabrese <chris_calabrese@YAHOO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
>> 1. The creation of temporary file of SNMP daemon
>
> As far as I can tell, the worst thing you can do
> with this is modify the log entries.
> Not a good thing, but not like you can become
> root or anything. Of course, even if the file
> permissions problem were fixed, I'm guessing
> the thing would still follow sym-links, re-use
> existing files owned by other users, etc.
Hmm, that doesn't scan quite right. Let me
clarify myself... The fact that the file is
world-writable doesn't present a root compromise.
The fact that the file uses a fixed name in
a world writable directory does cause a problem
unless code is put in place to make sure the
thing won't follow symbolic links or overwrite
existing files of the same name owned by other
users. In particular, if the code follows
sym-links (I'm guessing it does,though I
haven't tested this theory), there are
obvious root compromises.
I'll stick by my previous statement
that the "right" way to do this is log
to syslog.
__________________________________________________
Do You Yahoo!?
Yahoo! Photos -- now, 100 FREE prints!
http://photos.yahoo.com
