CVE-1999-1405

Vulnerability

The snap diagnostic utility in AIX before version 4.3.2 creates the directory /tmp/ibmsupt with world-readable permissions (755) instead of a restricted mode. When called with the -a flag, it copies system files, including the shadowed password file /etc/security/passwd, into a subdirectory /tmp/ibmsupt/general/. Additionally, snap does not remove or clear this directory prior to copying, allowing a local attacker to pre-create a symlink or file with the same name as the target (/tmp/ibmsupt/general/passwd) and thereby intercept the sensitive data [1][2].

Exploitation

A local attacker first creates the directory /tmp/ibmsupt/general/ (if it does not exist) and then creates a file at /tmp/ibmsupt/general/passwd. The attacker can then use a file-monitoring command such as tail -f /tmp/ibmsupt/general/passwd to watch for changes. When a privileged user (root) executes snap -a, the utility overwrites the attacker's file with the contents of /etc/security/passwd, causing the password hashes to appear in the tail output. The attack requires only local shell access and the ability to create files in /tmp [1].

Impact

A successful attack results in the disclosure of the system's shadowed password file (hashed passwords). An attacker can then attempt offline password cracking to obtain plaintext credentials, potentially leading to unauthorized privilege escalation or system compromise. No privilege escalation or file write is achieved; the impact is limited to information disclosure [1][2].

Mitigation

IBM addressed the issue in AIX version 4.3.2 by ensuring that /tmp/ibmsupt is created with restricted permissions and that the temporary directory is cleared before use. Users of earlier AIX versions should upgrade to 4.3.2 or later. As no workaround is documented, administrators on unpatched systems should avoid using snap -a and exercise caution when running diagnostic scripts [2].