Vulnerability
/usr/sbin/snmpdm
Affected
HP-UX 11.00
Description
Following is based on Hackerslab Advisory (and tested on HP-UX
B.11.00 A). Snmpdm is Simple Network Management Protocol (SNMP)
Daemon. When SNMP daemon is started, it creates a temporary file
and change the permission of setup-file.
When the snmpd daemon is started, it creates /tmp/snmpd.log file
with an privilege of root. Unfortunately the file contains 777
permition.
$ ls -al /tmp/snmpd.log
-rwxrwxrwx 1 root sys 23 Jun 4 01:23 /tmp/snmpd.log
/etc/SnmpAgent.d/snmpd.conf file - the setup file of SNMP daemon
is world writable.
$ ls -al /etc/SnmpAgent.d/snmpd.conf
-rw-rw-rw- 1 root sys 6959 Jun 3 21:03 /etc/SnmpAgent.d/snmpd.conf
You can create a file using a simple symbolic link, and you can
obtain the root by inserting trap program. The /tmp/snmpd.log
file is created, even if the logfile is specified by -I option
# /usr/sbin/snmpdm -l /etc/snmpd.log
SNMP Research SNMP Agent Resident Module Version 14.0.1.0
Copyright 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996 SNMP Research, Inc.
# ls -al /etc/snmpd.log
-rw-rw-rw- 1 root sys 83 Jun 4 01:27 /etc/snmpd.log
# ls -al /tmp/snmpd.log
-rwxrwxrwx 1 root sys 23 Jun 4 01:27 snmpd.log
Solution
The /etc/SnmpAgent.d/snmpd.conf file permission problem can be
solved by installing PHSS_21046. Older versions of Emanate
Master Agents (pre PHSS_17945) were temporarily moving snmpd.conf
to /tmp and re-creating /etc/SnmpAgent.d/snmpd.conf using the
current umask set for root. The code has been changed to preserve
the file access rights.
The Master Agent log file(s) are still created using the current
umask if the files are not present, else the previous permissions
are preserved. The following steps should be performed:
1) install PHSS_21046
2) chmod 600 /etc/SnmpAgent.d
3) chmod 600 /var/adm/snmpd.log
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
