Bugtraq mailing list archives
Re: Solaris 5.8 snmpd Vulnerability
From: Rob Bartlett - HES CTE <rb124078 () MONTGOMERY UK SUN COM>
Date: Thu, 15 Mar 2001 10:57:51 +0000
psor () AFIP GOV AR said:
The /opt/SUNWssp/snmpd command (SNMP proxy agent) is suid root and contains a buffer overflow, the problem occurs when it copy his own name (argv[0]) to an internal variable without checking out its lenght and this causes the overflow.
This package is not part of a standard install, it would only be loaded on the SSP of an E10K which if recommended practice is followed would be on a controlled admin network, and would only allow access to the users ssp, root and perhaps application ID's like patrol. The reason it is setuid is that it is normally started by the user ssp and needs to access privileged ports. The variable which gets overwritten is static so it would be extremely difficult if not impossible to exploit. The best you can do is cause the invoked snmpd to fail. That having been said, I have logged a bug (Id: 4425460) so the problem will be fixed in future releases. Regards, Rob -- Sun Microsystems HES-CTE Weave a circle round him thrice, mailto: Rob.Bartlett () UK Sun COM And close your eyes with holy dread, Tel: +44 1276-455-299 For he on honey-dew hath fed, Mobile: +44 7710-901-701 And drunk the milk of Paradise.
Current thread:
- Solaris 5.8 snmpd Vulnerability Pablo Sor (Mar 13)
- Re: Solaris 5.8 snmpd Vulnerability Rob Bartlett - HES CTE (Mar 15)
- <Possible follow-ups>
- Re: Solaris 5.8 snmpd Vulnerability Darren Moffat (Mar 14)