serverviewInsecure.txt

serverviewInsecure.txt: Posted Sep 10, 2004; Authored by l0om | Site excluded.org; The Serverview server management product is susceptible to multiple denial of service and data corruption attacks due to insecure file permissions.; tags | advisory, denial of service; SHA-256 | 108fcccc833eb5fcd6c72e00dec99910326570a898687b5d0d5fcb0084408a96; Download | Favorite | View

serverviewInsecure.txt



date: 06.09.2004
author: l0om - l0om [at] excluded d0t org - www.excluded.org
product: serverview 
problem: insecure file permissions
version: 3.0??? 

serverview is a server management product from fujitsu siemens
which is shipped with every PRIMERGY server.
it is based on snmp an let you view and set values in your MIB
tree.

In /usr/share/snmp/mibs you have stored files which build your
MIB tree.

example
#######

  SNMPv2-MIB.txt
    --includes:
      
sysDescr OBJECT-TYPE
    SYNTAX      DisplayString (SIZE (0..255))
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "A textual description of the entity.  This value should
            include the full name and version identification of the
            system's hardware type, software operating-system, and
            networking software."
    ::= { system 1 }

sysObjectID OBJECT-TYPE
    SYNTAX      OBJECT IDENTIFIER
    MAX-ACCESS  read-only
  [...]


#######

the ".index" which is in the same directory includes:

RFC1398-MIB SRVMAGT-ETHER.TXT
UCD-DISKIO-MIB UCD-DISKIO-MIB.txt
SNI-HD-MIB SRVMAGT-HD.TXT
SNI-MYLEX-MIB SRVMAGT-MYLEX.TXT
SNMP-NOTIFICATION-MIB SNMP-NOTIFICATION-MIB.txt
IPV6-TC IPV6-TC.txt
SMUX-MIB SMUX-MIB.txt
EtherLike-MIB EtherLike-MIB.txt
SNMPv2-SMI SNMPv2-SMI.txt
SNI-SERVER-CONTROL-MIB SRVMAGT-SC.TXT
UCD-DEMO-MIB UCD-DEMO-MIB.txt
SNMP-COMMUNITY-MIB SNMP-COMMUNITY-MIB.txt
IPV6-ICMP-MIB IPV6-ICMP-MIB.txt
SNMPv2-MIB SNMPv2-MIB.txt

[...]


in the .index the pathes to the MIB structure files can be found.

now to the dirty part-
        hiding does not prevent from wirting...

badass@box:/usr/share/snmp/mibs> ls -al .index
-rw-rw-rw-    1 root     root         1824 20xx-xx-xx xx:xx .index


therefore we can simply DoS the service with deleting the values in .index
but we also could change a MIB structure file path to eg.

SNMPv2-MIB ../../../../../../../tmp/MY-SNMPv2-MIB.txt
 
what means that we can currupt the whole MIB tree.
with some knowledge on snmp this could end terrible...


the version should be some 3.0 (iam not totaly sure :/).
just check your .index and chmod it to 664.

greets @ www.excluded.org
         murf, john, detach and all guys iam chattin with :)

Top Authors In Last 30 Days

Red Hat 201 files
indoushka 118 files
Ubuntu 88 files
Gentoo 33 files
Jasper Nota 25 files
Debian 24 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Apple 9 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,107)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,890)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,615)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,777)
UNIX (9,440)
UnixWare (187)
Windows (6,676)
Other

serverviewInsecure.txt

serverviewInsecure.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

serverviewInsecure.txt

Share This

serverviewInsecure.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems