thr3ads.net - Secure testing team - [Secure-testing-team] Bug#520724: snmpd: fails to set the group (gid), this will be a security problem in some configurations [Mar 2009]

If this information is useful, please help other people find it:
Share via:

Russell Coker

2009-Mar-22 11:45 UTC

[Secure-testing-team] Bug#520724: snmpd: fails to set the group (gid), this will be a security problem in some configurations

Package: snmpd
Version: 5.4.1~dfsg-12
Severity: grave
Tags: security
Justification: user security hole


The following output of "ps" shows that the group is "root":

ps -eo pid,user,euser,suser,fuser,group,egroup,sgroup,fgroup,comm|head -1 ; ps
-eo pid,user,euser,suser,fuser,group,egroup,sgroup,fgroup,comm|grep snmp
  PID USER     EUSER    SUSER    FUSER    GROUP    EGROUP   SGROUP   FGROUP  
COMMAND
 4503 snmp     snmp     snmp     snmp     root     root     root     root    
snmpd

This means that it can write to /dev/mapper/control, /dev/kmsg, and
/dev/xen/evtchn, as well as probably some files and directories that are
created by the sysadmin.  If for example the /root directory had more 0770
then this would permit the snmpd to take over the root account.

While it would require that the snmpd be compromised to take advantage of this,
I believe that it''s a security flaw to run code with GID 0 when there
is no
need for it.

Secure testing team - Mar 2009 - Bug#520724: snmpd: fails to set the group (gid), this will be a security problem in some configurations

[Secure-testing-team] Bug#520724: snmpd: fails to set the group (gid), this will be a security problem in some configurations