Bugtraq mailing list archives
Solaris WBEM 1.0: plaintext password stored in world readable file
From: gerdts () CAE WISC EDU (Michael Gerdts)
Date: Mon, 6 Dec 1999 11:32:46 -0600
A while back I was looking at Sun's WBEM (Web-Based Enterprise Management) and noticed that the preinstall script asked for a password. According to the way that Sun's packaging works, for the password to be used during the installation the password would need to be stored in a file. Sure 'nuf-- it was stored in /var/sadm/pkg/SUNWwbcor/pkginfo. If you have installed WBEM and have not changed the admin password, I suggest changing the password. I have reported this bug to Sun. My report and Sun's response appear below. I see no indication at http://www.sun.com/solaris/wbem/ that a new version is available. It does appear (from a bug report in the Sunsolve database) that the Solaris 8 beta includes WBEM 2.0. Without authenticating, a search for wbem at http://sunsolve.sun.com/ reveals no documents unless I authenticate with my support login and password. Using my support login, I still can find no mention of this installation bug. Jim-- is there any word on a publicly available fix for this? When will Sun release a security patch related to this? Since everyone had to register to download a copy of WBEM 1.0, will Sun send an announcement to those that downloaded it notifying them of the vulernability? Mike ----- Forwarded message from Jim Davis <james.d.davis () east sun com> ----- Date: Fri, 05 Nov 1999 14:13:43 -0500 From: Jim Davis <james.d.davis () east sun com> To: Michael Gerdts <gerdts () cae wisc edu> CC: wbem-interest () Sun COM Subject: Re: SECURITY: plaintext admin password stored in world readable file Hi Mike, This is no longer asked in the latest version. This version will be posted to the web in the next 3 - 4 weeks, Jim Davis Michael Gerdts wrote:
During the installation of SUNWwbcor 1.0, the installer is prompted for a password by the package's request script. That password is then stored in plain text in /var/sadm/pkg/SUNWwbcor/pkginfo, which is a world-readable file. This seems to be a necessary evil, given the specifications of the Solaris software packaging scheme. Please add a step to the installation instructions that explains this vulernability and instructs people to change the admin password. Mike -- Mike Gerdts UNIX Systems Administrator Computer-Aided Engineering Center University of Wisconsin - Madison
----- End forwarded message ----- -- Mike Gerdts UNIX Systems Administrator Computer-Aided Engineering Center University of Wisconsin - Madison
Current thread:
- Solaris WBEM 1.0: plaintext password stored in world readable file Michael Gerdts (Dec 06)