Solaris WBEM 1.0: plaintext password stored in world readable file

From: Michael Gerdts (gerdtsat_private)
Date: Mon Dec 06 1999 - 09:32:46 PST

Next message: Aleph One: "[Debian] New version of htdig released"

Previous message: Lamont Granquist: "Re: sadmind exploits (remote sparc/x86)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A while back I was looking at Sun's WBEM (Web-Based Enterprise Management)
and noticed that the preinstall script asked for a password.  According to
the way that Sun's packaging works, for the password to be used during the
installation the password would need to be stored in a file.  Sure 'nuf--
it was stored in /var/sadm/pkg/SUNWwbcor/pkginfo.  If you have installed
WBEM and have not changed the admin password, I suggest changing the
password.

I have reported this bug to Sun.  My report and Sun's response appear
below.  I see no indication at http://www.sun.com/solaris/wbem/ that a new
version is available.  It does appear (from a bug report in the Sunsolve
database) that the Solaris 8 beta includes WBEM 2.0.

Without authenticating, a search for wbem at http://sunsolve.sun.com/
reveals no documents unless I authenticate with my support login and
password.  Using my support login, I still can find no mention of this
installation bug.

Jim-- is there any word on a publicly available fix for this?  When will
Sun release a security patch related to this?  Since everyone had to
register to download a copy of WBEM 1.0, will Sun send an announcement to
those that downloaded it notifying them of the vulernability?

Mike

----- Forwarded message from Jim Davis <james.d.davisat_private> -----

Date: Fri, 05 Nov 1999 14:13:43 -0500
From: Jim Davis <james.d.davisat_private>
To: Michael Gerdts <gerdtsat_private>
CC: wbem-interestat_private
Subject: Re: SECURITY: plaintext admin password stored in world readable file

Hi Mike,
    This is no longer asked in the latest version. This version will be posted
to the web in the next 3 - 4 weeks,

Jim Davis

Michael Gerdts wrote:

> During the installation of SUNWwbcor 1.0, the installer is prompted for a
> password by the package's request script.  That password is then stored in
> plain text in /var/sadm/pkg/SUNWwbcor/pkginfo, which is a world-readable
> file.  This seems to be a necessary evil, given the specifications of the
> Solaris software packaging scheme.
>
> Please add a step to the installation instructions that explains this
> vulernability and instructs people to change the admin password.
>
> Mike
>
> --
> Mike Gerdts
> UNIX Systems Administrator
> Computer-Aided Engineering Center
> University of Wisconsin - Madison

----- End forwarded message -----

--
Mike Gerdts
UNIX Systems Administrator
Computer-Aided Engineering Center
University of Wisconsin - Madison

Next message: Aleph One: "[Debian] New version of htdig released"
Previous message: Lamont Granquist: "Re: sadmind exploits (remote sparc/x86)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:20:14 PDT