serverview 3.0 - insecure file permissions

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: serverview 3.0 - insecure file permissions
From: Rene <l0om@xxxxxxxxxxxx>
Date: 6 Sep 2004 13:46:26 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


date: 06.09.2004
author: l0om - l0om [at] excluded d0t org - www.excluded.org
product: serverview 
problem: insecure file permissions
version: 3.0??? 

serverview is a server management product from fujitsu siemens
which is shipped with every PRIMERGY server.
it is based on snmp an let you view and set values in your MIB
tree.

In /usr/share/snmp/mibs you have stored files which build your
MIB tree.

example
#######

  SNMPv2-MIB.txt
    --includes:
      
sysDescr OBJECT-TYPE
    SYNTAX      DisplayString (SIZE (0..255))
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "A textual description of the entity.  This value should
            include the full name and version identification of the
            system's hardware type, software operating-system, and
            networking software."
    ::= { system 1 }

sysObjectID OBJECT-TYPE
    SYNTAX      OBJECT IDENTIFIER
    MAX-ACCESS  read-only
        [...]


#######

the ".index" which is in the same directory includes:

RFC1398-MIB SRVMAGT-ETHER.TXT
UCD-DISKIO-MIB UCD-DISKIO-MIB.txt
SNI-HD-MIB SRVMAGT-HD.TXT
SNI-MYLEX-MIB SRVMAGT-MYLEX.TXT
SNMP-NOTIFICATION-MIB SNMP-NOTIFICATION-MIB.txt
IPV6-TC IPV6-TC.txt
SMUX-MIB SMUX-MIB.txt
EtherLike-MIB EtherLike-MIB.txt
SNMPv2-SMI SNMPv2-SMI.txt
SNI-SERVER-CONTROL-MIB SRVMAGT-SC.TXT
UCD-DEMO-MIB UCD-DEMO-MIB.txt
SNMP-COMMUNITY-MIB SNMP-COMMUNITY-MIB.txt
IPV6-ICMP-MIB IPV6-ICMP-MIB.txt
SNMPv2-MIB SNMPv2-MIB.txt

[...]


in the .index the pathes to the MIB structure files can be found.

now to the dirty part-
        hiding does not prevent from wirting...

badass@box:/usr/share/snmp/mibs> ls -al .index
-rw-rw-rw-    1 root     root         1824 20xx-xx-xx xx:xx .index


therefore we can simply DoS the service with deleting the values in .index
but we also could change a MIB structure file path to eg.

SNMPv2-MIB ../../../../../../../tmp/MY-SNMPv2-MIB.txt
 
what means that we can currupt the whole MIB tree.
with some knowledge on snmp this could end terrible...


the version should be some 3.0 (iam not totaly sure :/).
just check your .index and chmod it to 664.

greets @ www.excluded.org
         murf, john, detach and all guys iam chattin with :)

Prev by Date: OpenOffice World-Readable Temporary Files Disclose Files to Local Users
Next by Date: BlackJumboDog FTP Server version 3.6.1 Buffer Overflow [Exploit included]
Previous by thread: OpenOffice World-Readable Temporary Files Disclose Files to Local Users
Next by thread: BlackJumboDog FTP Server version 3.6.1 Buffer Overflow [Exploit included]
Index(es):
- Date
- Thread