- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 19300
- Проверка EDB
-
- Пройдено
- Автор
- LARRY W. CASHDOLLAR
- Тип уязвимости
- LOCAL
- Платформа
- AIX
- CVE
- cve-1999-1405
- Дата публикации
- 1999-02-17
IBM AIX 4.2.1 - 'snap' Insecure Temporary File Creation
Код:
source: https://www.securityfocus.com/bid/375/info
The snap command is a diagnostic utlitiy for gathering system information on AIX platforms. It can only be executed by root, but it copies various system files into /tmp/ibmsupt/ under /tmp/ibmsupt/general/ you will find the passwd file with cyphertext. The danger here is if a system administrator executes snap -a as sometimes requested by IBM support while diagnosing a problem it defeats password shadowing. /tmp/ibmsupt is created with 755 permissions they may carry out a symlink attack and gain access to the password file.
snap is a shell script which uses cp -p to gather system information. Data from /etc/security is gathered between lines 721 - 727. Seeing that snap uses the /tmp/ibmsupt/general directory someone may create the directory as a normal user (tested on on AIX 4.2.1). The user may then do a touch on /tmp/ibmsupt/general/passwd. Once the passwd file is created do tail -f /tmp/ibmsupt/general/passwd. If in another session someone loggs in as root and ran snap -a - this will cause the contents of the /etc/security/passwd to show up in tail command.- Источник
- www.exploit-db.com
