|
HP Ignite-UX Information Disclosure |
|
|
|
|
Friday, 19 August 2005 |
Summary
"The HP Ignite-UX application addresses the need for HP-UX system administrators to perform system installations and deployment, often on a large scale"
A vulnerability in HP Ignite-UX allows anonymous users to access the operating systems password file.
Credit:
The information has been provided by Corsaire.
The original article can be found at: http://www.corsaire.com/advisories/c041123-001.txt
Details
Vulnerable Systems:
* HP Ignite-UX prior to version C.6.2.240 and prior
Immune Systems:
* HP Ignite-UX version C.6.2.241 or newer
The HP Ignite-UX can use a TFTP server to facilitate anonymous access to configuration data. When the make_recovery command is used, a copy of the /etc/passwd file will be created in the TFTP server tree and made available for anonymous access.
As of version B.3.2 of the product, the make_recovery command has been depreciated in preference for the make_tape_recovery command (which doesnt display the same issues), and as of version C.6.0 the make_recovery command does not exist in the product at all. However, if at any point make_recovery has been run on the host, a copy of the /etc/passwd file may still remain within the TFTP server tree.
Proof of Concept:
Use a TFTP client to request the file referenced by the following path:
/var/opt/ignite/recovery/passwd.makrec
CVE Information:
CAN-2004- 0951
Disclosure Timeline:
Discovered: 23.11.04 (Martin ONeal)
Vendor notified: 23.11.04
Document released: 16.08.05 |