Re: Solaris 5.8 snmpd Vulnerability

[Rob Bartlett - HES CTE <rb124078 () MONTGOMERY UK SUN COM>]

psor () AFIP GOV AR said:
> The /opt/SUNWssp/snmpd command (SNMP proxy agent)  is suid root and
> contains a buffer overflow, the problem occurs when it copy his own
> name (argv[0]) to an internal variable without checking out its lenght
> and this causes the overflow.

This package is not part of a standard install, it would only be loaded on the
SSP of an E10K which if recommended practice is followed would be on a
controlled admin network, and would only allow access to the users ssp, root
and perhaps application ID's like patrol.  The reason it is setuid is that it
is normally started by the user ssp and needs to access privileged ports.

The variable which gets overwritten is static so it would be extremely
difficult if not impossible to exploit.  The best you can do is cause the
invoked snmpd to fail.

That having been said, I have logged a bug (Id: 4425460) so the problem will
be fixed in future releases.

Regards,

Rob
--
Sun Microsystems HES-CTE          Weave a circle round him thrice,
mailto: Rob.Bartlett () UK Sun COM     And close your eyes with holy dread,
Tel: +44 1276-455-299               For he on honey-dew hath fed,
Mobile: +44 7710-901-701          And drunk the milk of Paradise.