Vulnerability in Sawmill for Solaris v. 6.2.14

From: darky0daat_private
Date: Mon Feb 11 2002 - 12:27:26 PST

Next message: mark-bugtraqat_private: "Re: texis(CGI) Path Disclosure Vulnerability"

Previous message: jGgM.: "Unixware Message catalog exploit code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_=_ Warped Force Advisory #2 _=_

Subject: Vulnerability in Sawmill for Solaris v. 6.2.14
Author:	darky0da <darky0daat_private>
Discovered: 2.8.02
Announced to BugTraq: 2.11.02
Vendor Status: Vendor notified on 2.9.02 and verified issue.
Upgrade v. 6.2.15 released on 2.10.02
Platform(s) Tested: Solaris 2.8; may also include other UNIX
versions
Product Homepage: http://www.sawmill.net

Problem / Exploit: When the Sawmill executable is launched and the user enters
an initial password,the password is saved in file AdminPassword. This file
is created mode 0666 (world read/writeable permissions).

This happens regardless of the password_file_permissions setting in file
DefaultConfig, which is by default set to mode 0600. I have tried
this with user and root privileges and it occurs in each instance.

The default path to file AdminPassword is accessible to users.
The LogAnalysisInfo directory is created mode 0755.

The contents of the AdminPassword file are MD5'ed. It is trivial to
overwrite this value with a password of my choosing:

"rm AdminPassword; echo mypasswd | perl -p -e 'chomp' | md5sum | \
| sed 's/  -//' | perl -p -e 'chomp' > AdminPassword"

I have tested the above thoroughly and it works quite well, allowing me
access to all parts of the Sawmill pages.

Solution: Upgrade to version 6.2.15;
chmod 600 AdminPassword

Shouts:
sawmill folks
pworks
grdpnt-l


Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl0EARECAB0FAjxoKc8WHGRhcmt5MGRhQGh1c2htYWlsLmNvbQAKCRDhjV5drgDCy/pH
AJ4vNqk289HWt0kavBuPkCpjMj2bUACeOZhYWwhhN+RcFh2zZcXEqtvtffc=
=Xsdf
-----END PGP SIGNATURE-----

Next message: mark-bugtraqat_private: "Re: texis(CGI) Path Disclosure Vulnerability"
Previous message: jGgM.: "Unixware Message catalog exploit code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 13:18:06 PST