Title: AIX Snap command password vulnerability Author: Larry W. Cashdollar, @_larry0 Date: 1999-02-17 CVE-ID:[CVE-1999-1405] Download Site: www.ibm.com Vendor: IBM AIX Vendor Notified: 1999-02-17 Vendor Contact: bugtraq email Advisory: http://www.vapid.dhs.org/advisories/AIX_snap-1998.html Description: The snap command is a diagnostic utlitiy for gathering system information on AIX platforms. It can only be executed by root, but it copies various system files into /tmp/ibmsupt/ under /tmp/ibmsupt/general/ you will find the passwd file with cyphertext. The danger here is if a system administrator executes snap -a as sometimes requested by IBM support while diagnosing a problem it defeats password shadowing. /tmp/ibmsupt is created with 755 permissions they may carry out a symlink attack and gain access to the password file. Vulnerability: snap is a shell script which uses cp -p to gather system information. Data from /etc/security is gathered between lines 721 - 727. Seeing that snap uses the /tmp/ibmsupt/general directory someone may create the directory as a normal user (tested on on AIX 4.2.1). The user may then do a touch on /tmp/ibmsupt/general/passwd. Once the passwd file is created do tail -f /tmp/ibmsupt/general/passwd. If in another session someone loggs in as root and ran snap -a - this will cause the contents of the /etc/security/passwd to show up in tail command.