TUCoPS :: SunOS/Solaris :: sun5090.htm

Sawmill Password Escape
12th Feb 2002 [SBWID-5090]
COMMAND

	Sawmill password escape

SYSTEMS AFFECTED

	Sawmill for Solaris v. 6.2.14

PROBLEM

	In darky0da Warped Force advisory [#2] :
	

	When the Sawmill executable is launched and the user enters  an  initial
	password,the password is saved  in  file  AdminPassword.  This  file  is
	created mode 0666 (world read/writeable permissions).
	

	This happens regardless  of  the  password_file_permissions  setting  in
	file DefaultConfig, which is by default set to mode 0600. I  have  tried
	this with user and root privileges and it occurs in each instance.
	

	The default path to file  AdminPassword  is  accessible  to  users.  The
	LogAnalysisInfo directory is created mode 0755.
	

	The contents of the AdminPassword file are MD5\'ed.  It  is  trivial  to
	overwrite this value with a password of my choosing:
	

	\"rm AdminPassword; echo mypasswd | perl -p -e \'chomp\' | md5sum | \\

	| sed \'s/  -//\' | perl -p -e \'chomp\' > AdminPassword\"

	

	I have tested the above thoroughly and it works quite well, allowing  me
	access to all parts of the Sawmill pages.

SOLUTION

	Upgrade to v. 6.2.15 released on 2.10.02 [http://www.sawmill.net]  chmod
	600 AdminPassword

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH