SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Net-snmp Vendors:   net-snmp.sourceforge.net
net-snmp 'fixproc' Unsafe Temporary File Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1014039
SecurityTracker URL:  http://securitytracker.com/id/1014039
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 24 2005
Impact:   Execution of arbitrary code via local system, Root access via local system
Vendor Confirmed:  Yes  
Version(s): 5.2.1 and prior versions
Description:   Eric Romang (ZATAZ) reported a vulnerability in net-snmp in the fixproc utility. A local user may be able to gain elevated privileges.

The fixproc component creates a temporary file in an unsafe manner and then executes the contents of the file. A local user can execute arbitrary commands with root privileges.

The vendor was notified on May 17, 2005.

The original advisory is available at:

http://www.zataz.net/adviso/net-snmp-05182005.txt

Impact:   A local user can execute arbitrary commands with root privileges.
Solution:   A final solution was not available at the time of this entry. A proposed patch is available from the vendor at:

http://sourceforge.net/tracker/index.php?func=detail&aid=1203376&group_id=12694&atid=112694

Vendor URL:  net-snmp.sourceforge.net/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  net-snmp fixproc insecure temporary file creation


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

#########################################################
net-snmp fixproc insecure temporary file creation

Vendor: http://www.net-snmp.org
Advisory: http://www.zataz.net/adviso/net-snmp-05182005.txt
Vendor informed: yes
Exploit available:no
Impact : low
Exploitation : low

#########################################################

net-snmp fixproc contain a security flaw how could
allow a malicious local attacker to execute arbitrary commands
with root privileges.

##########
Versions:
##########

net-snmp <= 5.2.1

##########
Solution:
##########

Depends the linux distribution you use,
some are patched, some not, the vendor
is looking on a official patch.

#########
Timeline:
#########

Discovered : 2005-05-07
Vendor notified : 2005-05-17
Vendor response : 2005-05-23
Vendor fix :  no date
Disclosure : 2005-05-23

#####################
Technical details :
#####################

Just take a look at /usr/bin/fixproc

Line 233 :

# it must be "shell", so execute the shell script defined in database

local ($tmpfile) = "/tmp/fix_$$";

&create_sh_script ($fix{$proc}, $tmpfile);

# return code is number divided by 256
$error_code = (system "$tmpfile") / 256;

- -----------------------------------------

We see that the tmp file is created with $$ value and this script is  
execute by the perl system command

The subfunction do only this :

- -------------------------------------

sub create_sh_script
{
   local ($file) = pop (@_);
   local ($i) = pop (@_);

   printf (stderr "create_sh_script\n") if ($debug > 0);

   $! = $fixproc_error;
   open (file, ">"."$file") || die "$0: cannot open $file\n";
   while ( $shell_lines[$i] ne $shell_end_marker )
     {
       printf (file "%s", $shell_lines[$i]);
       $i++;
     }
   close (file);
   system "chmod +x $file";
   return file;
}

- ----------------------------------

The same for the fonction do_check()

########
Notice :
########

Take a look on this :

http://rpmfind.net/linux/RPM/suse/9.1/i386/suse/i586/net- 
snmp-5.1-80.i586.html

* Tue Mar 16 2004 - ro@suse.de
   - use mktemp in fixproc (#36103)

#########
Related :
#########

http://sourceforge.net/tracker/index.php? 
func=detail&aid=1203376&group_id=12694&atid=112694
http://bugs.gentoo.org/show_bug.cgi?id=91792

#########
Credits :
#########

Eric Romang (eromang@zataz.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.)



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFCkkQzXXuxWE8lDAcRAhPZAJwNgzs0jacMumLmV6XPgGoy9nXHEgCeMLBx
YZA5wA+dnE9/7QrHPIENyRY=
=624Z
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC