| Title: AIX Snap command password vulnerability |
| Author: Larry W. Cashdollar, @_larry0 |
| Date: 1999-02-17 |
| CVE-ID:[CVE-1999-1405] |
| CWE: |
| Download Site: www.ibm.com |
| Vendor: IBM AIX |
| Vendor Notified: 1999-02-17 |
| Vendor Contact: bugtraq email |
| Advisory: http://www.vapid.dhs.org/advisories/AIX_snap-1998.html |
| Description: The snap command is a diagnostic utlitiy for gathering system information on AIX platforms. It can only be executed by root, but it copies various system files into /tmp/ibmsupt/ under /tmp/ibmsupt/general/ you will find the passwd file with cyphertext. The danger here is if a system administrator executes snap -a as sometimes requested by IBM support while diagnosing a problem it defeats password shadowing. /tmp/ibmsupt is created with 755 permissions they may carry out a symlink attack and gain access to the password file. |
| Vulnerability: snap is a shell script which uses cp -p to gather system information. Data from /etc/security is gathered between lines 721 - 727. Seeing that snap uses the /tmp/ibmsupt/general directory someone may create the directory as a normal user (tested on on AIX 4.2.1). The user may then do a touch on /tmp/ibmsupt/general/passwd. Once the passwd file is created do tail -f /tmp/ibmsupt/general/passwd. If in another session someone loggs in as root and ran snap -a - this will cause the contents of the /etc/security/passwd to show up in tail command. |
| Export: JSON TEXT XML |
Exploit Code:
|
| Screen Shots: |
| Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory