0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

OpenBSD net-snmp Information Disclosure Vulnerability

Author

Pierre Kim

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

CVE

Platform

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

## Advisory Information

Title: OpenBSD package 'net-snmp' information disclosure
Advisory URL: https://pierrekim.github.io/advisories/CVE-2015-8100-openbsd-net-snmp.txt
Blog URL: https://pierrekim.github.io/blog/2015-11-12-CVE-2015-8100-OpenBSD-package-net-snmp-information-disclosure.html
Date published: 2015-11-12
Vendors contacted: Stuart Henderson, OpenBSD Package maintainer
Release mode: Released
CVE: CVE-2015-8100



## Product Description

Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and
SNMP v3 using both IPv4 and IPv6.

This software is available in OpenBSD as a port (/usr/ports/net/net-snmp).



## Vulnerabilities Summary

By default, when OpenBSD package and ports are used, the snmpd
configuration file
has weak permissions which allows a local user to retrieve sensitive
information.



## Details

By default the permissions of the snmpd configuration file in OpenBSD
are 0644 instead of 0600:

  # cd /usr/ports/net/net-snmp
  # make install clean
  [...]
  # ls -latr /etc/snmp/snmpd.conf
  -rw-r--r--  1 root  wheel  6993 Nov  4 09:16 /etc/snmp/snmpd.conf
  #

The same problem occurs when the provided package is installed with
`pkg_add http://ftp.spline.de/pub/OpenBSD/5.8/packages/i386/net-snmp-5.7.3p0.tgz`:

  # ls -latr /etc/snmp/snmpd.conf
  -rw-r--r--  1 root  wheel  6993 Nov  4 08:37 /etc/snmp/snmpd.conf
  #

The snmpd configuration file is readable by a local user and contains
the credentials
for read-only and read-write access (for SNMPv1, SNMPv2 and SNMPv3
protocols) and
gives a local user unnecessary/dangerous access:


  [...]

  rocommunity public  default    -V systemonly
  #rocommunity secret  10.0.0.0/16
  rouser   authOnlyUser
  #rwuser   authPrivUser   priv

  [...]

This problem is OpenBSD-specific as the
/var/db/pkg/net-snmp-5.7.3p0/+CONTENTS file confirms:
  @ts 1438958635
  @sample /etc/snmp/snmpd.conf

Futhermore, by default, `/usr/local/sbin/snmpd` runs as root.



## Vendor Response

This problem has been fixed in the -STABLE and -CURRENT packages.



## Report Timeline

 * Nov 04, 2015: Vulnerability found by Pierre Kim.
 * Nov 06, 2015: Stuart Henderson is notified of the vulnerability.
 * Nov 06, 2015: Stuart Henderson confirms the vulnerability and fixes
the package permissions for the sample configuration file in -current
and -stable.
 * Nov 06, 2015: Stuart Henderson re-activates an option (can be
configured with rc.conf.local) to run net-snmp as a separate uid to
improve security.
 * Nov 10, 2015: OSS-Security is contacted to get a CVE
 * Nov 10, 2015: cve-assign@mitre.org assigns CVE-2015-8100
 * Nov 12, 2015: A public advisory is sent to security mailing lists.



## Credit

This vulnerability was found by Pierre Kim (@PierreKimSec).



## References

https://pierrekim.github.io/advisories/CVE-2015-8100-openbsd-net-snmp.txt
http://openports.se/net/net-snmp



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWRKFEAAoJEMQ+Dtp9ky28Jq4P/iUv706dteWtl9HkPHkSVbql
yO8ZJGnJtEXX3SOR5OKd07rxwP4W1gIYJtLSTUfEk+91LRpP8ZNgDIMDG1pIKS5l
2S+6SQ+8yQXCcnm54KAc8DQM3tJHUp/RG8/6UR30V0v83ELnLmAX01BWOMEIvle2
N1cd59cPUZ4Qafee1p8wbyDWi1WBB1d89d7YKf3v78L34COTEBXPRLPs+DQCU7nD
vmGzsFKcNjr8Hr2pq9aQmNmmuE82GtuEk3e1OKR5Pe4uYWoEAuFJOnswFjABDSch
0wvWx1d6G2iOMwPIRLL+BXMgGzPpKB4KjgYPH/3OYJVXywKfEw0pBnu+Svb31/JV
MVnnw6+fuunOLe7GxrI4M5FE2JfMD4CUiarFHRK6I5XDJm1dsvTHIsJUwA+9FTTH
7kJY/xKHJ3YpjrKT2K2WAmvsJCTswkbvPr5LKNGgOLlUzVUetYo1hhGT6fo5ppQE
RMpWkpX1DGJ+5RzlcLhLqguznv/SVwAA78TwailvF28LW2kSHJDOIpUht2xRdQ2Q
JJZwcoO69qsterKF+UCcucWXDSjUjzI/Vrvm/aV+BAu4oKVG5QvVNplbHDYruLl5
9OMF1C5+z8GcQf27u1RG69VAOx66GnPFGTPUiaKfsgqfh3jEMJw3IlT1LBCAZao4
FXQizA+QOejXTiuHqYE9
=qkHs
-----END PGP SIGNATURE-----

-- 
Pierre Kim
pierre.kim.sec@gmail.com
@PierreKimSec
https://pierrekim.github.io/

#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

OpenBSD net-snmp Information Disclosure Vulnerability

Report Error

Report Error