Results 1 to 2 of 2

Thread: Vulnerability: Sawmill for Solaris

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation Vulnerability: Sawmill for Solaris

    When the Sawmill executable is launched and the user enters an initial password,the password is saved in file AdminPassword. This file is created mode 0666 (world read/writeable permissions).


    This happens regardless of the password_file_permissions setting in file DefaultConfig, which is by default set to mode 0600. I have tried this with user and root privileges and it occurs in each instance.

    The default path to file AdminPassword is accessible to users.
    The LogAnalysisInfo directory is created mode 0755.

    The contents of the AdminPassword file are MD5'ed. It is trivial to overwrite this value with a password of my choosing:

    "rm AdminPassword; echo mypasswd | perl -p -e 'chomp' | md5sum |
    | sed 's/ -//' | perl -p -e 'chomp' > AdminPassword"

    I have tested the above thoroughly and it works quite well, allowing me access to all parts of the Sawmill pages.

    Solution: Upgrade to version 6.2.15;
    chmod 600 AdminPassword

    Shouts:
    sawmill folks
    pworks
    grdpnt-l

  2. #2
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193

    Post

    s0nIc what is sawmill, never heard of it.
    Trappedagainbyperfectlogic.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •