Bugtraq mailing list archives
[ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability
From: loveyou () DOGFOOT HACKERSLAB ORG (loveyou () DOGFOOT HACKERSLAB ORG)
Date: Wed, 7 Jun 2000 14:11:48 +0900
================================================================================ [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability ================================================================================ File: /usr/sbin/snmpdm SYSTEM: HP-UX 11.00 Tested by HP-UX B.11.00 A INFO: Snmpdm: Simple Network Management Protocol (SNMP) Daemon When SNMP daemon is started, it creates a temporary file and change the permission of setup-file. even investigate reporting this to them first? My turnaround on patching <=¿©±â±îÁö 1. The creation of temporary file of SNMP daemon when the snmpd daemon is started, it creates /tmp/snmpd.log file with an privilege of root. Unfortunately the file contains 777 permition. $ ls -al /tmp/snmpd.log -rwxrwxrwx 1 root sys 23 Jun 4 01:23 /tmp/snmpd.log 2. The permission for the set-up file of SNMP daemon /etc/SnmpAgent.d/snmpd.conf file - the setup file of SNMP daemon is world writable. $ ls -al /etc/SnmpAgent.d/snmpd.conf -rw-rw-rw- 1 root sys 6959 Jun 3 21:03 /etc/SnmpAgent.d/snmpd.conf You can create a file using a simple symbolic link, and you can obtain the root by inserting trap program. The /tmp/snmpd.log file is created, even if the logfile is specified by -I option # /usr/sbin/snmpdm -l /etc/snmpd.log SNMP Research SNMP Agent Resident Module Version 14.0.1.0 Copyright 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996 SNMP Research, Inc. # ls -al /etc/snmpd.log -rw-rw-rw- 1 root sys 83 Jun 4 01:27 /etc/snmpd.log # ls -al /tmp/snmpd.log -rwxrwxrwx 1 root sys 23 Jun 4 01:27 snmpd.log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SOLUTION The best way is to disable SNMP daemon, because there is no patch available from HP currently. # diff /etc/rc.config.d/SnmpMaster.orig /etc/rc.config.d/SnmpMaster 43c43 < SNMP_MASTER_START=1 # Start the master SNMP agent. ---
SNMP_MASTER_START=0 # Start the master SNMP agent.
And make sure to close the directory permission for the set-up file of SNMP daemon. Because the permission for /etc/SnmpAgent.d/snmpd.conf file is changed as 666 mode whenever snmp daemon is excuted. chmod 700 /etc/SnmpAgent.d ==-------------------------------------------------------------------------------== ******** * ** ** * * ** ** * * ****** * * ** ** * loveyou () hackerslab org * ** ** * [ http://www.hackerslab.org ] ******** HACKERSLAB (C) since 1999 ==-------------------------------------------------------------------------------==
Current thread:
- [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability loveyou () DOGFOOT HACKERSLAB ORG (Jun 06)
- <Possible follow-ups>
- Re: [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability Chris Calabrese (Jun 08)
- Re: [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability Chris Calabrese (Jun 08)