Bugtraq mailing list archives

[ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability

From: loveyou () DOGFOOT HACKERSLAB ORG (loveyou () DOGFOOT HACKERSLAB ORG)
Date: Wed, 7 Jun 2000 14:11:48 +0900


================================================================================

             [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability

================================================================================

File:   /usr/sbin/snmpdm

SYSTEM:   HP-UX 11.00

           Tested by  HP-UX B.11.00 A

INFO:

Snmpdm: Simple Network Management Protocol (SNMP) Daemon
When SNMP daemon is started, it creates a temporary file and change
the permission of setup-file.

even investigate reporting this to them first?  My turnaround on patching   <=¿©±â±îÁö

1. The creation of temporary file of SNMP daemon

when the snmpd daemon is started, it creates /tmp/snmpd.log file with
an privilege of root. Unfortunately the file contains 777 permition.
$ ls -al /tmp/snmpd.log
-rwxrwxrwx   1 root       sys             23 Jun  4 01:23 /tmp/snmpd.log

2. The permission for the set-up file of SNMP daemon

/etc/SnmpAgent.d/snmpd.conf file - the setup file of SNMP daemon is world writable.
$ ls -al /etc/SnmpAgent.d/snmpd.conf
-rw-rw-rw-   1 root       sys           6959 Jun  3 21:03  /etc/SnmpAgent.d/snmpd.conf

You can create a file using a simple symbolic link, and you can obtain
the root by inserting trap program.

The /tmp/snmpd.log file is created, even if the logfile is specified by -I option

# /usr/sbin/snmpdm -l /etc/snmpd.log
SNMP Research SNMP Agent Resident Module Version 14.0.1.0
Copyright 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996 SNMP Research, Inc.
# ls -al /etc/snmpd.log
-rw-rw-rw-   1 root       sys             83 Jun  4 01:27 /etc/snmpd.log
# ls -al /tmp/snmpd.log
-rwxrwxrwx   1 root       sys             23 Jun  4 01:27 snmpd.log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SOLUTION

The best way is to disable SNMP daemon, because there is no patch available
from HP currently.

# diff  /etc/rc.config.d/SnmpMaster.orig /etc/rc.config.d/SnmpMaster
43c43
< SNMP_MASTER_START=1   # Start the master SNMP agent.

---

SNMP_MASTER_START=0   # Start the master SNMP agent.


And make sure to close the directory permission for the set-up file of SNMP daemon.
Because the permission for /etc/SnmpAgent.d/snmpd.conf file is changed as 666 mode
whenever snmp daemon is excuted.

chmod 700 /etc/SnmpAgent.d

==-------------------------------------------------------------------------------==
       ********
   *    **   **    *
 *      **   **      *
*       ******       *
 *      **   **      *                                       loveyou () hackerslab org
   *    **   **    *                                    [  http://www.hackerslab.org ]
       ********            HACKERSLAB (C)  since 1999
==-------------------------------------------------------------------------------==

Current thread:

[ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability loveyou () DOGFOOT HACKERSLAB ORG (Jun 06)
- <Possible follow-ups>
- Re: [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability Chris Calabrese (Jun 08)
- Re: [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability Chris Calabrese (Jun 08)