Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Solaris WBEM 1.0: plaintext password stored in world readable file
From: gerdts () CAE WISC EDU (Michael Gerdts)
Date: Mon, 6 Dec 1999 11:32:46 -0600

A while back I was looking at Sun's WBEM (Web-Based Enterprise Management)
and noticed that the preinstall script asked for a password.  According to
the way that Sun's packaging works, for the password to be used during the
installation the password would need to be stored in a file.  Sure 'nuf--
it was stored in /var/sadm/pkg/SUNWwbcor/pkginfo.  If you have installed
WBEM and have not changed the admin password, I suggest changing the
password.

I have reported this bug to Sun.  My report and Sun's response appear
below.  I see no indication at http://www.sun.com/solaris/wbem/ that a new
version is available.  It does appear (from a bug report in the Sunsolve
database) that the Solaris 8 beta includes WBEM 2.0.

Without authenticating, a search for wbem at http://sunsolve.sun.com/
reveals no documents unless I authenticate with my support login and
password.  Using my support login, I still can find no mention of this
installation bug.

Jim-- is there any word on a publicly available fix for this?  When will
Sun release a security patch related to this?  Since everyone had to
register to download a copy of WBEM 1.0, will Sun send an announcement to
those that downloaded it notifying them of the vulernability?

Mike

----- Forwarded message from Jim Davis <james.d.davis () east sun com> -----

Date: Fri, 05 Nov 1999 14:13:43 -0500
From: Jim Davis <james.d.davis () east sun com>
To: Michael Gerdts <gerdts () cae wisc edu>
CC: wbem-interest () Sun COM
Subject: Re: SECURITY: plaintext admin password stored in world readable file

Hi Mike,
    This is no longer asked in the latest version. This version will be posted
to the web in the next 3 - 4 weeks,

Jim Davis

Michael Gerdts wrote:


During the installation of SUNWwbcor 1.0, the installer is prompted for a
password by the package's request script.  That password is then stored in
plain text in /var/sadm/pkg/SUNWwbcor/pkginfo, which is a world-readable
file.  This seems to be a necessary evil, given the specifications of the
Solaris software packaging scheme.

Please add a step to the installation instructions that explains this
vulernability and instructs people to change the admin password.

Mike

--
Mike Gerdts
UNIX Systems Administrator
Computer-Aided Engineering Center
University of Wisconsin - Madison


----- End forwarded message -----

--
Mike Gerdts
UNIX Systems Administrator
Computer-Aided Engineering Center
University of Wisconsin - Madison

  By Date           By Thread  

Current thread:
  • Solaris WBEM 1.0: plaintext password stored in world readable file Michael Gerdts (Dec 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]