Axent ESM 5.0 User Profile Permission Vulnerability
TITLE: Axent ESM 5.0 User Profile Permission Vulnerability
CLASS: Design Error
CVE:
REMOTE: No
LOCAL: Yes
PUBLISHED: Jul 12 1999 12:00AM
UPDATE: Jul 12 1999 12:00AM
CREDIT: This vulnerability was forwarded to the staff at Security-Focus.com.
VULNERABLE:
Axent ESM 5.0
-AT&T SVR4 4.0
-Digital OpenVMS 7.1
-Digital UNIX 4.0
-HP HP-UX 11.0
-HP HP-UX 10.0
-HP HP-UX 9.0
-IBM AIX 4.3
-IBM AIX 4.2
-IBM AIX 4.1
-SGI IRIX 6.0
-SGI IRIX 5.3
-Sun Solaris 7.0
-Sun Solaris 2.6
-Sun Solaris 2.5
-Sun Solaris 2.4
-Sun Solaris 2.3
-Sun Solaris 2.2
-Sun Solaris 2.1
-Sun Solaris 2.0
-Sun SunOS 4.1.4
-Sun SunOS 4.1.3
NOT VULNERABLE: Axent ESM 4.5
-AT&T SVR4 4.0
-Digital OpenVMS 7.1
-Digital OSF/1 3.0
-Digital UNIX 4.0
-Digital UNIX 3.2 G
-HP HP-UX 11.0
-HP HP-UX 10.0
-HP HP-UX 9.0
-IBM AIX 4.3
-IBM AIX 4.2
-IBM AIX 4.1
-SGI IRIX 6.0
-SGI IRIX 5.3
-Sun Solaris 2.6
-Sun Solaris 2.5
-Sun Solaris 2.4
-Sun Solaris 2.3
-Sun Solaris 2.2
-Sun Solaris 2.1
-Sun Solaris 2.0
-Sun SunOS 4.1.4
-Sun SunOS 4.1.3
Vai alla pagina originale su Security Focus
Discussion
Certain checks within Axent's ESM 5.0 for Unix may prevent legitimate users from logging on to scanned hosts.
Specifically, four checks within the security auditing program may cause this denial of service:
Check PATH using 'su'
Check PATH by modifying startup script
Check umask using 'su'
Check umask by modifying startup script
These checks are not enabled in the default policy templates.
When ESM is checking PATH (or umask) values, it will 'su' to the user's account. If the user's script calls a menu function, ESM will not respond and the check will hang. To overcome this problem, ESM copies the startup script to the /tmp directory, adds additional values to the end of the script, and copies the script back to the user's directory. The new values in the script will echo the PATH and umask values to a file called .esmvalues in the user's home directory the next time the user logs in. When ESM is run again, it will read the contents of .esmvalues to determine the PATH and umask values. This procedure eliminates the problems associated with 'su'ing to the account and hanging on a menu call.
Unfortunately, when ESM copies the file to /tmp, file ownership and permissions are changed to 'root'. When the file is copied back to the user's directory, only root has access - legitimate users will not be able to execute their login script.
Exploit
See discussion.
Solution
Solution:
Use ESM version 4.5. The Hot-Fix for this problem will be available from Axent Support in August and should be remotely installable. Axent ESM 5.0.1 (as of this post date is to be released) will include the hot-fix.
The following message has been provided to Security Focus from AXENT:
AXENT appreciates the opportunity to respond to the issues raised with this posting. The first statement indicates that users cannot log into scanned hosts. This is not true--users can log in, but they will not be able to access their startup scripts. This bug constitutes more of an inconvenience to the user, than a security threat.
The bug was discovered a short time ago and there is a current procedure for correcting the ownership of files that may have been affected. Currently there is a newer version of the affected usrfiles module that does not change the ownership of the startup scripts. This procedure and/or the updated module can be obtained by contacting AXENT support. This version of the usrfiles module is also included in the August HotFix for ESM that customers can remotely install on all systems. The hot fix is only needed for ESM 5.0 UNIX agents. Earlier versions of ESM agents do not have this problem. The fix will also be included in the upcoming ESM 5.0.1 release.
As was indicated in the original posting, this check was not turned on by default and most ESM 5.0 customers have probably not used it. If you desire the procedure to correct the affected files or the updated module, please contact AXENT support at support@axent.com
References
References:
Keywords for this page:
esmvalues file in HP UX (from google) first seen: 2006-08-22 11:51:33
esmvalues (from google) first seen: 2007-08-13 20:36:20 hit: 3
esmvalues (from google) first seen: 2007-08-15 17:39:17 hit: 2
esmvalues in unix (from google) first seen: 2007-09-06 07:18:39
axent esm 6 0 errors (from google) first seen: 2007-09-07 21:58:39
unix esmvalues (from google) first seen: 2007-09-11 12:21:23 hit: 2
umask esmvalues (from google) first seen: 2007-09-24 15:53:06
axent esmvalues (from google) first seen: 2007-10-17 19:21:55 hit: 2
solaris check umask (from google) first seen: 2007-12-14 16:42:27
t (from google) first seen: 2008-02-12 10:19:31 hit: 13
axent permissions (from google) first seen: 2008-03-24 07:50:08 hit: 2
solaris esmvalues (from google) first seen: 2008-04-17 21:24:36
google axent (from google) first seen: 2008-04-20 15:08:36
no path in service usrfiles - using /tmp (from google) first seen: 2008-04-23 20:39:26
user profile permissions (from google) first seen: 2008-04-28 13:44:19
profile permissions solaris (from google) first seen: 2008-05-02 00:34:39
linux login problem esm (from google) first seen: 2008-06-05 17:16:17
axent only root can login (from google) first seen: 2008-06-05 17:17:49
hot to check user permission on solaris (from google) first seen: 2008-06-10 11:48:37
esm usrfiles (from google) first seen: 2008-06-12 15:35:12
scripting user accounts on hpux (from google) first seen: 2008-06-13 03:01:49
su permission for user in hpux (from google) first seen: 2008-06-17 14:05:29
axent solaris (from google) first seen: 2008-06-20 00:28:49
aix menu script (from google) first seen: 2008-06-22 07:45:18
su hanging aix (from google) first seen: 2008-06-23 16:21:52
axent security file (from google) first seen: 2008-06-24 20:03:31
check user permissionaix (from google) first seen: 2008-07-03 21:40:02
who to check the user profile in aix 5 3 (from google) first seen: 2008-07-04 11:58:14
how to check user profile in aix (from google) first seen: 2008-07-07 07:54:14
unix check umask (from google) first seen: 2008-07-07 15:31:42
how to check umask on solaris (from google) first seen: 2008-07-08 19:24:27
check for esm hpux (from google) first seen: 2008-07-09 12:37:55
how to check profile of user in solaris (from google) first seen: 2008-07-11 14:04:50
sun solaris login script (from google) first seen: 2008-07-15 11:27:19
how to check directory permission in solaris (from google) first seen: 2008-07-15 17:58:27
user profile path in aix (from google) first seen: 2008-07-16 12:41:31 hit: 2
how to check user permissions in unix scripting (from google) first seen: 2008-07-18 09:34:56
how to check user umask (from google) first seen: 2008-07-18 15:25:51
axent esm agent (hang or not respond) (from google) first seen: 2008-07-21 12:50:33
how to check umask in aix (from google) first seen: 2008-07-21 16:11:19
where user profile solaris (from google) first seen: 2008-07-21 21:26:05
checking user permissions for linux users (from google) first seen: 2008-07-22 15:26:26
not able to login with user accounts from remotely in aix 5 3 (from google) first seen: 2008-07-23 10:27:27
check umask on solaris (from google) first seen: 2008-07-24 07:23:55
check umask solaris (from google) first seen: 2008-07-24 18:26:58
esm linux vulnerability checking tool (from google) first seen: 2008-07-28 20:54:32
esm hp-ux log dir (from google) first seen: 2008-07-30 17:19:48
aix su hangs (from google) first seen: 2008-08-01 20:43:21 hit: 2
how to check the profile in aix (from google) first seen: 2008-08-04 17:24:25
solaris script to check permissions and ownership (from google) first seen: 2008-08-05 15:16:58
what is esm pilicy unix (from google) first seen: 2008-08-19 20:31:44
unix check group user permission profile (from google) first seen: 2008-08-20 11:57:45
checking the permission of users in solaris (from google) first seen: 2008-08-20 12:51:28
need install esm to aix 5 3 (from google) first seen: 2008-08-21 05:34:47
root user permission checking in solaris (from google) first seen: 2008-08-21 14:56:44
umask permission unix hp (from google) first seen: 2008-08-21 22:30:12
solaris user umask (from google) first seen: 2008-08-22 14:34:20
esm install on aix (from google) first seen: 2008-08-27 04:21:15
check user permissions on solaris (from google) first seen: 2008-08-28 03:07:53 hit: 2
esm security at (from google) first seen: 2008-08-28 08:36:42
unix aix // profile permissions (from google) first seen: 2008-08-28 21:37:01
how to install esm agent on aix (from google) first seen: 2008-08-28 22:00:18
checking the permission of a user for directory in solaris (from google) first seen: 2008-09-02 11:49:52
f (from google) first seen: 2008-09-03 08:51:47 hit: 8
esm linux (from google) first seen: 2008-09-05 05:29:58
check permissions for user in aix (from google) first seen: 2008-09-08 01:01:42
user login troubleshoot in solaris 9 0 (from google) first seen: 2008-09-09 09:32:15
checking user profile solaris (from google) first seen: 2008-09-10 21:50:41
permission on solaris (from google) first seen: 2008-09-11 18:45:06
how to check what user groups in aix unix (from google) first seen: 2008-09-16 19:22:41
how do i check user permission in sun os (from google) first seen: 2008-09-18 04:53:03
check user permission in aix (from google) first seen: 2008-09-22 07:18:19
aix 5 3 profile user path (from google) first seen: 2008-09-22 08:35:27
unix su hangs (from google) first seen: 2008-09-22 15:59:11
solaris checkuser (from google) first seen: 2008-09-24 00:16:19
aix path profile (from google) first seen: 2008-09-25 13:20:17
directory permission in solaris (from google) first seen: 2008-09-26 09:41:28
hp ux check user permissions (from google) first seen: 2008-10-01 15:36:18
sun solaris check user group (from google) first seen: 2008-10-01 16:14:55
check umask for user (from google) first seen: 2008-10-02 19:49:01
how to check vulnerability on hpux user accounts (from google) first seen: 2008-10-05 19:03:16
user profile in aix (from google) first seen: 2008-10-05 20:37:02
check umask of users in solaris (from google) first seen: 2008-10-11 09:16:46
umask aix (from google) first seen: 2008-10-13 13:32:44
unix check user permissions aix 5 3 (from google) first seen: 2008-10-13 20:05:02
how to check user permissions aix 5 3 (from google) first seen: 2008-10-13 20:05:55
aix 5 root exploits -paginit -diag (from google) first seen: 2008-10-14 13:58:00
checking umask in aix (from google) first seen: 2008-10-14 19:42:31
permissions on profile aix (from google) first seen: 2008-10-20 09:50:46
how to check group permission solaris (from google) first seen: 2008-10-20 13:56:36
how to check the owner permission in solaris (from google) first seen: 2008-10-24 08:13:53
esm file permissions (from google) first seen: 2008-10-26 17:36:40
check umask how to (from google) first seen: 2008-10-28 11:19:03
check permission aix (from google) first seen: 2008-10-28 15:35:10
profile login solaris check first login (from google) first seen: 2008-10-29 10:31:25
change user umask solaris 9 (from google) first seen: 2008-10-30 08:17:58
how to check umask for a user (from google) first seen: 2008-11-03 07:38:31
solaris script to change file permissions (from google) first seen: 2008-11-03 23:18:04
user permission aix (from google) first seen: 2008-11-05 07:13:06
how to check umask on file (from google) first seen: 2008-11-05 14:29:29
aix set user permissions (from google) first seen: 2008-11-05 16:34:03
where is change permission script on sun solaris (from google) first seen: 2008-11-06 17:15:32
o (from google) first seen: 2008-11-07 09:12:33
check directory permissions in solaris (from google) first seen: 2008-11-07 13:09:23
solaris 9 user as root (from google) first seen: 2008-11-07 16:09:41
permission for users in one group aix (from google) first seen: 2008-11-07 18:52:51
checking the permissions for root in solaris (from google) first seen: 2008-11-10 02:28:04
umask in solaris profile (from google) first seen: 2008-11-10 16:39:45
install esm agent in hp ux (from google) first seen: 2008-11-19 15:42:46
GoogleBot visited this page on: 2008-11-20 19:59:01