Twenty Year Anniversary

FreeBSD bsnmpd Information Disclosure

FreeBSD bsnmpd Information Disclosure
Posted Jan 16, 2016
Authored by Pierre Kim

FreeBSD suffers from a bsnmpd information disclosure vulnerability.

tags | exploit, info disclosure
systems | freebsd, bsd
advisories | CVE-2015-5677
MD5 | 7d1a99c3863b05856f67c2ccb39b1ae2

FreeBSD bsnmpd Information Disclosure

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

## Advisory Information

Title: FreeBSD bsnmpd information disclosure
Advisory URL: https://pierrekim.github.io/advisories/CVE-2015-5677-freebsd-bsnmpd.txt
Blog URL: https://pierrekim.github.io/blog/2016-01-15-cve-2015-5677-freebsd-bsnmpd.html
Date published: 2016-01-15
Vendors contacted: FreeBSD
Release mode: Released
CVE: CVE-2015-5677



## Product Description

The bsnmpd daemon serves the Internet SNMP (Simple Network Management
Protocol). It is intended to serve only the absolute basic MIBs and
implement all other MIBs through loadable modules.



## Vulnerabilities Summary

By default, the bsnmpd configuration file in FreeBSD 9.3 and 10.x has
weak permissions
which allows a local user to retrieve sensitive information.



## Details

By default the permissions of the bsnmpd configuration file are 0644
instead of 0600:

root@freebsd-test-snmp:~ # ls -latr /etc/snmpd.config
-rw-r--r-- 1 root wheel 8662 Aug 12 16:27 /etc/snmpd.config
root@freebsd-test-snmp:~ #

This file is readable by a local user and contains the credentials for
read-only and
read-write access (for SNMPv1, SNMPv2 and SNMPv3 protocols) and
gives a local user unnecessary/dangerous access:

root@freebsd-test-snmp:~ # cat /etc/snmpd.config
[...]

# Change this!
read := "public"
# Uncomment begemotSnmpdCommunityString.0.2 below that sets the community
# string to enable write access.
write := "geheim"
trap := "mytrap"

[...]

# SNMPv3 USM User definition
#
# [...]
#
#user1 := "bsnmp"
#user1passwd :=
0x22:0x98:0x1a:0x6e:0x39:0x93:0x16:0x5e:0x6a:0x21:0x1b:0xd8:0xa9:0x81:0x31:0x05:0x16:0x33:0x38:0x60

[...]



## Vendor Response

The official patch does not fix the permissions for existing installations.

This vulnerability can be fixed by modifying the permission on
/etc/bsnmpd.conf to owner root:wheel and permission 0600.



## Report Timeline

* Nov 04, 2015: Vulnerability found by Pierre Kim.
* Nov 05, 2015: security-officer@freebsd.org is notified of the vulnerability.
* Nov 07, 2015: security-officer@freebsd.org confirms the
vulnerability but the patch in existing installations does not seem to
be feasible.
* Nov 11, 2015: Pierre Kim asks security-officer@freebsd.org for a
CVE number, using FreeBSD CVE pool for future FreeBSD vulnerabilities.
* Nov 11, 2015: security-officer@freebsd.org assigns CVE-2015-5677.
* Jan 05, 2016: Pierre Kim asks the status of the vulnerability.
* Jan 13, 2016: Pierre Kim states he will release a security advisory
the Feb 05, 2016 after a 3-month embargo.
* Jan 13, 2016: security-officer@freebsd.org confirms a security
advisory will be issued on Jan 19, 2016.
* Jan 14, 2016: An official advisory is published by FreeBSD.
* Jan 15, 2016: A public advisory is sent to security mailing lists.



## Credit

This vulnerability was found by Pierre Kim (@PierreKimSec).



## References

https://pierrekim.github.io/advisories/CVE-2015-5677-freebsd-bsnmpd.txt
https://pierrekim.github.io/blog/2016-01-15-cve-2015-5677-freebsd-bsnmpd.html
https://www.freebsd.org/security/advisories/FreeBSD-SA-16:06.bsnmpd.asc



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWmEsUAAoJEMQ+Dtp9ky2863wQALI/6wFNF5MM3Xu0bOnvx9Pe
EKt86fYM/hJb02H9ADlLtQwEM6IjOEoNHefVA7a2n1VWJEQream9vCfYOq2hBS3H
edBN8ANMFePe5iPvwkxHrd7BE/xBlIqETQbEWJQsxL12GJIXN/xc9eFViVKUzxVO
+Qqum+GXW+1+C6U5jJ/Uz9ve+BFlkOo89T2J4Xw9WgnjaVYZiMShMVVj5tBuapYK
3rodptkUkFXo8AnmNwjtp2sRXz697uvMQK3LMCQ/ORj6/NgcKjLYlQDWwKrfQ9sk
LbscfRBv5ArhlLmF8e3HpzrRuRiP7ExIi97ns9CeCpAuRb4QjAfyBFcTlPRE9I2A
QJZZg6fU1DPMPYlY/5SJZPKc5ZWLStKGrLD2hbgzWPot7msdd8kDfXOV/7NtI7ZA
yZUQZ93DpI0JARBfwl16u7xoCgl0HPfpej0uAYAIJNbEUZ3txzLo8bBLkKDDhvtt
s9r5qgUaNZWa+njK56d5aQrhdbhOKPIHmBqWHraAh2tjcBQyF+0Telygvb0zka52
/Z3oKfjxtr0Q3ZujTf2pWLfrzXttkWMWBNB6SxTa2zuxaN6ga+h+wj4yYSPQ3zx2
v3z8xR0ZDq+DgK5DMo4CbsuRTqSuW3JUQNOhtKARbmfKIcbNufkxnrAmlDB4Odss
pl/Ye+rG7E2GKrKMRsBM
=54tI
-----END PGP SIGNATURE-----


--
Pierre Kim
pierre.kim.sec@gmail.com
@PierreKimSec
https://pierrekim.github.io/

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

April 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    5 Files
  • 2
    Apr 2nd
    17 Files
  • 3
    Apr 3rd
    11 Files
  • 4
    Apr 4th
    21 Files
  • 5
    Apr 5th
    17 Files
  • 6
    Apr 6th
    12 Files
  • 7
    Apr 7th
    1 Files
  • 8
    Apr 8th
    6 Files
  • 9
    Apr 9th
    21 Files
  • 10
    Apr 10th
    18 Files
  • 11
    Apr 11th
    42 Files
  • 12
    Apr 12th
    7 Files
  • 13
    Apr 13th
    14 Files
  • 14
    Apr 14th
    1 Files
  • 15
    Apr 15th
    1 Files
  • 16
    Apr 16th
    15 Files
  • 17
    Apr 17th
    20 Files
  • 18
    Apr 18th
    24 Files
  • 19
    Apr 19th
    20 Files
  • 20
    Apr 20th
    2 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close