COMMAND

    snap

SYSTEMS AFFECTED

    AIX up to 4.3.2

PROBLEM

    Larry  W.  Cashdollar  posted  following.   The  snap command is a
    diagnostic  utlitiy  for  gathering  system  information  on   AIX
    platforms.  It can only be executed by root, but it copies various
    system  files  into   /tmp/ibmsupt/  under   /tmp/ibmsupt/general/
    you will find  the passwd file  with cyphertext.   The danger here
    is  if  a  system  administrator  executes  snap  -a  as sometimes
    requested by  IBM support  while diagnosing  a problem  it defeats
    password shadowing.  /tmp/ibmsupt is created with 755 permissions.
    snap  is  a  shell  script  which  uses  cp  -p  to  gather system
    information.   Data from  /etc/security is  gathered between lines
    721  -  727.   Seeing  that  snap  uses  the  /tmp/ibmsupt/general
    directory  someone  may  create  the  directory  as  a normal user
    (tested  on   on  AIX   4.2.1).    Then  just   do  a   touch   on
    /tmp/ibmsupt/general/passwd.  Once the  passwd file is created  do
    tail  -f  /tmp/ibmsupt/general/passwd.   If  in  another   session
    someone loggs in  as root and  ran snap -a  - this will  cause the
    contents of the /etc/security/passwd to show up in tail command.

SOLUTION

    This problem seems to have been fixed at 4.3.2.