SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   SNMP Daemon Vendors:   Sun
Vendor Confirms Bug (Re: Sun Solaris SNMP Network Management Daemon for Enterprise 10,000 May Give Root Access To Local Users)
SecurityTracker Alert ID:  1001094
SecurityTracker URL:  http://securitytracker.com/id/1001094
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 15 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Vendor Confirmed:  Yes  

Description:   It was reported that the SNMP daemon that is part of the SUNWsspop package for the Sun Enterprise 10,000 System Service Processor contains a vulnerability that allows local users to execute arbitrary code on the server with root privileges, leading to root-level access to the server.

The vendor has reportedly logged a bug (Id: 4425460) and indicated that the problem will be fixed in future releases.

Impact:   An authorized local user can cause commands to be executed with root privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.sun.com (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (Solaris - SunOS)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 14 2001 Sun Solaris SNMP Network Management Daemon for Enterprise 10,000 May Give Root Access To Local Users



 Source Message Contents

Subject:  Re: Solaris 5.8 snmpd Vulnerability


psor@AFIP.GOV.AR said:
> The /opt/SUNWssp/snmpd command (SNMP proxy agent)  is suid root and
> contains a buffer overflow, the problem occurs when it copy his own
> name (argv[0]) to an internal variable without checking out its lenght
> and this causes the overflow.

This package is not part of a standard install, it would only be loaded on the
SSP of an E10K which if recommended practice is followed would be on a
controlled admin network, and would only allow access to the users ssp, root
and perhaps application ID's like patrol.  The reason it is setuid is that it
is normally started by the user ssp and needs to access privileged ports.

The variable which gets overwritten is static so it would be extremely
difficult if not impossible to exploit.  The best you can do is cause the
invoked snmpd to fail.

That having been said, I have logged a bug (Id: 4425460) so the problem will
be fixed in future releases.

Regards,

Rob
--
Sun Microsystems HES-CTE          Weave a circle round him thrice,
mailto: Rob.Bartlett@UK.Sun.COM     And close your eyes with holy dread,
Tel: +44 1276-455-299               For he on honey-dew hath fed,
Mobile: +44 7710-901-701          And drunk the milk of Paradise.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC