If any ucd-snmp version, 4.2.6 and below, is installed setuid root, a local attacker can overwrite any file using the -P and -l parameters.
1016752386d08c853e5ec5531500830362c7331f992a62a1b91766d6ec8dab73
////////////////// ucd-snmp file overwrite vulnerabillity ///////////////////
///////////////////////// <priest@priestmaster.org> /////////////////////////
///////////////////////// http://www.pirestmaster.org ///////////////////////
Affected file: /usr/local/bin/snmpd
Version : ucd-snmp <= 4.2.6
Error class : file overwrite
It's possible to overwrite a file with the -P and the -l parameter, if
ucd-snmp is installed setuid-root. Example:
# /usr/local/bin/snmpd -P /etc/passwd
# /usr/local/bin/snmpd -l /etc/passwd
The -l parameter overwrite the file with logging data from snmpd.
Solution:
Check the uid at the start of execution. If user-id isn't equal to 0, do
not create any files. Another way is, stat the file. If file exist, exit
with an error message.
Happy hacking,
priestmaster