what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

serverviewInsecure.txt

serverviewInsecure.txt
Posted Sep 10, 2004
Authored by l0om | Site excluded.org

The Serverview server management product is susceptible to multiple denial of service and data corruption attacks due to insecure file permissions.

tags | advisory, denial of service
SHA-256 | 108fcccc833eb5fcd6c72e00dec99910326570a898687b5d0d5fcb0084408a96

serverviewInsecure.txt

Change Mirror Download


date: 06.09.2004
author: l0om - l0om [at] excluded d0t org - www.excluded.org
product: serverview
problem: insecure file permissions
version: 3.0???

serverview is a server management product from fujitsu siemens
which is shipped with every PRIMERGY server.
it is based on snmp an let you view and set values in your MIB
tree.

In /usr/share/snmp/mibs you have stored files which build your
MIB tree.

example
#######

SNMPv2-MIB.txt
--includes:

sysDescr OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A textual description of the entity. This value should
include the full name and version identification of the
system's hardware type, software operating-system, and
networking software."
::= { system 1 }

sysObjectID OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
[...]


#######

the ".index" which is in the same directory includes:

RFC1398-MIB SRVMAGT-ETHER.TXT
UCD-DISKIO-MIB UCD-DISKIO-MIB.txt
SNI-HD-MIB SRVMAGT-HD.TXT
SNI-MYLEX-MIB SRVMAGT-MYLEX.TXT
SNMP-NOTIFICATION-MIB SNMP-NOTIFICATION-MIB.txt
IPV6-TC IPV6-TC.txt
SMUX-MIB SMUX-MIB.txt
EtherLike-MIB EtherLike-MIB.txt
SNMPv2-SMI SNMPv2-SMI.txt
SNI-SERVER-CONTROL-MIB SRVMAGT-SC.TXT
UCD-DEMO-MIB UCD-DEMO-MIB.txt
SNMP-COMMUNITY-MIB SNMP-COMMUNITY-MIB.txt
IPV6-ICMP-MIB IPV6-ICMP-MIB.txt
SNMPv2-MIB SNMPv2-MIB.txt

[...]


in the .index the pathes to the MIB structure files can be found.

now to the dirty part-
hiding does not prevent from wirting...

badass@box:/usr/share/snmp/mibs> ls -al .index
-rw-rw-rw- 1 root root 1824 20xx-xx-xx xx:xx .index


therefore we can simply DoS the service with deleting the values in .index
but we also could change a MIB structure file path to eg.

SNMPv2-MIB ../../../../../../../tmp/MY-SNMPv2-MIB.txt

what means that we can currupt the whole MIB tree.
with some knowledge on snmp this could end terrible...


the version should be some 3.0 (iam not totaly sure :/).
just check your .index and chmod it to 664.

greets @ www.excluded.org
murf, john, detach and all guys iam chattin with :)
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close