BugTraq
Back to list
|
Post reply
serverview 3.0 - insecure file permissions
Sep 06 2004 01:46PM
Rene (l0om excluded org)
date: 06.09.2004
author: l0om - l0om [at] excluded d0t org - www.excluded.org
product: serverview
problem: insecure file permissions
version: 3.0???
serverview is a server management product from fujitsu siemens
which is shipped with every PRIMERGY server.
it is based on snmp an let you view and set values in your MIB
tree.
In /usr/share/snmp/mibs you have stored files which build your
MIB tree.
example
#######
SNMPv2-MIB.txt
--includes:
sysDescr OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A textual description of the entity. This value should
include the full name and version identification of the
system's hardware type, software operating-system, and
networking software."
::= { system 1 }
sysObjectID OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
[...]
#######
the ".index" which is in the same directory includes:
RFC1398-MIB SRVMAGT-ETHER.TXT
UCD-DISKIO-MIB UCD-DISKIO-MIB.txt
SNI-HD-MIB SRVMAGT-HD.TXT
SNI-MYLEX-MIB SRVMAGT-MYLEX.TXT
SNMP-NOTIFICATION-MIB SNMP-NOTIFICATION-MIB.txt
IPV6-TC IPV6-TC.txt
SMUX-MIB SMUX-MIB.txt
EtherLike-MIB EtherLike-MIB.txt
SNMPv2-SMI SNMPv2-SMI.txt
SNI-SERVER-CONTROL-MIB SRVMAGT-SC.TXT
UCD-DEMO-MIB UCD-DEMO-MIB.txt
SNMP-COMMUNITY-MIB SNMP-COMMUNITY-MIB.txt
IPV6-ICMP-MIB IPV6-ICMP-MIB.txt
SNMPv2-MIB SNMPv2-MIB.txt
[...]
in the .index the pathes to the MIB structure files can be found.
now to the dirty part-
hiding does not prevent from wirting...
badass@box:/usr/share/snmp/mibs> ls -al .index
-rw-rw-rw- 1 root root 1824 20xx-xx-xx xx:xx .index
therefore we can simply DoS the service with deleting the values in .index
but we also could change a MIB structure file path to eg.
SNMPv2-MIB ../../../../../../../tmp/MY-SNMPv2-MIB.txt
what means that we can currupt the whole MIB tree.
with some knowledge on snmp this could end terrible...
the version should be some 3.0 (iam not totaly sure :/).
just check your .index and chmod it to 664.
greets @ www.excluded.org
murf, john, detach and all guys iam chattin with :)
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
date: 06.09.2004
author: l0om - l0om [at] excluded d0t org - www.excluded.org
product: serverview
problem: insecure file permissions
version: 3.0???
serverview is a server management product from fujitsu siemens
which is shipped with every PRIMERGY server.
it is based on snmp an let you view and set values in your MIB
tree.
In /usr/share/snmp/mibs you have stored files which build your
MIB tree.
example
#######
SNMPv2-MIB.txt
--includes:
sysDescr OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A textual description of the entity. This value should
include the full name and version identification of the
system's hardware type, software operating-system, and
networking software."
::= { system 1 }
sysObjectID OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
[...]
#######
the ".index" which is in the same directory includes:
RFC1398-MIB SRVMAGT-ETHER.TXT
UCD-DISKIO-MIB UCD-DISKIO-MIB.txt
SNI-HD-MIB SRVMAGT-HD.TXT
SNI-MYLEX-MIB SRVMAGT-MYLEX.TXT
SNMP-NOTIFICATION-MIB SNMP-NOTIFICATION-MIB.txt
IPV6-TC IPV6-TC.txt
SMUX-MIB SMUX-MIB.txt
EtherLike-MIB EtherLike-MIB.txt
SNMPv2-SMI SNMPv2-SMI.txt
SNI-SERVER-CONTROL-MIB SRVMAGT-SC.TXT
UCD-DEMO-MIB UCD-DEMO-MIB.txt
SNMP-COMMUNITY-MIB SNMP-COMMUNITY-MIB.txt
IPV6-ICMP-MIB IPV6-ICMP-MIB.txt
SNMPv2-MIB SNMPv2-MIB.txt
[...]
in the .index the pathes to the MIB structure files can be found.
now to the dirty part-
hiding does not prevent from wirting...
badass@box:/usr/share/snmp/mibs> ls -al .index
-rw-rw-rw- 1 root root 1824 20xx-xx-xx xx:xx .index
therefore we can simply DoS the service with deleting the values in .index
but we also could change a MIB structure file path to eg.
SNMPv2-MIB ../../../../../../../tmp/MY-SNMPv2-MIB.txt
what means that we can currupt the whole MIB tree.
with some knowledge on snmp this could end terrible...
the version should be some 3.0 (iam not totaly sure :/).
just check your .index and chmod it to 664.
greets @ www.excluded.org
murf, john, detach and all guys iam chattin with :)
[ reply ]