SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ServerView Vendors:   Fujitsu
Fujitsu ServerView Lets Local Users Modify MIB Values
SecurityTracker Alert ID:  1011168
SecurityTracker URL:  http://securitytracker.com/id/1011168
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 6 2004
Impact:   Denial of service via local system, Modification of system information
Exploit Included:  Yes  
Version(s): possibly 3.0
Description:   A vulnerability was reported in ServerView. A local user can modify MIB values.

l0om from excluded.org reported that the '.index' file is world writeable. A local user can modify the file. A local user can also modify a MIB structure file path to corrupt the MIB tree.

Impact:   A local user can modify MIB values.
Solution:   No solution was available at the time of this entry.

The author of the report recommends that you check the '.index' file and chmod it to 664.

Cause:   Access control error, Configuration error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  serverview 3.0 - insecure file permissions




date: 06.09.2004
author: l0om - l0om [at] excluded d0t org - www.excluded.org
product: serverview 
problem: insecure file permissions
version: 3.0??? 

serverview is a server management product from fujitsu siemens
which is shipped with every PRIMERGY server.
it is based on snmp an let you view and set values in your MIB
tree.

In /usr/share/snmp/mibs you have stored files which build your
MIB tree.

example
#######

  SNMPv2-MIB.txt
    --includes:
      
sysDescr OBJECT-TYPE
    SYNTAX      DisplayString (SIZE (0..255))
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "A textual description of the entity.  This value should
            include the full name and version identification of the
            system's hardware type, software operating-system, and
            networking software."
    ::= { system 1 }

sysObjectID OBJECT-TYPE
    SYNTAX      OBJECT IDENTIFIER
    MAX-ACCESS  read-only
	[...]


#######

the ".index" which is in the same directory includes:

RFC1398-MIB SRVMAGT-ETHER.TXT
UCD-DISKIO-MIB UCD-DISKIO-MIB.txt
SNI-HD-MIB SRVMAGT-HD.TXT
SNI-MYLEX-MIB SRVMAGT-MYLEX.TXT
SNMP-NOTIFICATION-MIB SNMP-NOTIFICATION-MIB.txt
IPV6-TC IPV6-TC.txt
SMUX-MIB SMUX-MIB.txt
EtherLike-MIB EtherLike-MIB.txt
SNMPv2-SMI SNMPv2-SMI.txt
SNI-SERVER-CONTROL-MIB SRVMAGT-SC.TXT
UCD-DEMO-MIB UCD-DEMO-MIB.txt
SNMP-COMMUNITY-MIB SNMP-COMMUNITY-MIB.txt
IPV6-ICMP-MIB IPV6-ICMP-MIB.txt
SNMPv2-MIB SNMPv2-MIB.txt

[...]


in the .index the pathes to the MIB structure files can be found.

now to the dirty part-
        hiding does not prevent from wirting...

badass@box:/usr/share/snmp/mibs> ls -al .index
-rw-rw-rw-    1 root     root         1824 20xx-xx-xx xx:xx .index


therefore we can simply DoS the service with deleting the values in .index
but we also could change a MIB structure file path to eg.

SNMPv2-MIB ../../../../../../../tmp/MY-SNMPv2-MIB.txt
 
what means that we can currupt the whole MIB tree.
with some knowledge on snmp this could end terrible...


the version should be some 3.0 (iam not totaly sure :/).
just check your .index and chmod it to 664.

greets @ www.excluded.org
         murf, john, detach and all guys iam chattin with :)


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC