<<< Date Index >>>     <<< Thread Index >>>

serverview 3.0 - insecure file permissions




date: 06.09.2004
author: l0om - l0om [at] excluded d0t org - www.excluded.org
product: serverview 
problem: insecure file permissions
version: 3.0??? 

serverview is a server management product from fujitsu siemens
which is shipped with every PRIMERGY server.
it is based on snmp an let you view and set values in your MIB
tree.

In /usr/share/snmp/mibs you have stored files which build your
MIB tree.

example
#######

  SNMPv2-MIB.txt
    --includes:
      
sysDescr OBJECT-TYPE
    SYNTAX      DisplayString (SIZE (0..255))
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "A textual description of the entity.  This value should
            include the full name and version identification of the
            system's hardware type, software operating-system, and
            networking software."
    ::= { system 1 }

sysObjectID OBJECT-TYPE
    SYNTAX      OBJECT IDENTIFIER
    MAX-ACCESS  read-only
        [...]


#######

the ".index" which is in the same directory includes:

RFC1398-MIB SRVMAGT-ETHER.TXT
UCD-DISKIO-MIB UCD-DISKIO-MIB.txt
SNI-HD-MIB SRVMAGT-HD.TXT
SNI-MYLEX-MIB SRVMAGT-MYLEX.TXT
SNMP-NOTIFICATION-MIB SNMP-NOTIFICATION-MIB.txt
IPV6-TC IPV6-TC.txt
SMUX-MIB SMUX-MIB.txt
EtherLike-MIB EtherLike-MIB.txt
SNMPv2-SMI SNMPv2-SMI.txt
SNI-SERVER-CONTROL-MIB SRVMAGT-SC.TXT
UCD-DEMO-MIB UCD-DEMO-MIB.txt
SNMP-COMMUNITY-MIB SNMP-COMMUNITY-MIB.txt
IPV6-ICMP-MIB IPV6-ICMP-MIB.txt
SNMPv2-MIB SNMPv2-MIB.txt

[...]


in the .index the pathes to the MIB structure files can be found.

now to the dirty part-
        hiding does not prevent from wirting...

badass@box:/usr/share/snmp/mibs> ls -al .index
-rw-rw-rw-    1 root     root         1824 20xx-xx-xx xx:xx .index


therefore we can simply DoS the service with deleting the values in .index
but we also could change a MIB structure file path to eg.

SNMPv2-MIB ../../../../../../../tmp/MY-SNMPv2-MIB.txt
 
what means that we can currupt the whole MIB tree.
with some knowledge on snmp this could end terrible...


the version should be some 3.0 (iam not totaly sure :/).
just check your .index and chmod it to 664.

greets @ www.excluded.org
         murf, john, detach and all guys iam chattin with :)