what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 03-08-07.1

Atstake Security Advisory 03-08-07.1
Posted Aug 10, 2003
Authored by David Goldsmith, Atstake | Site atstake.com

Atstake Security Advisory A080703-1 - Both IPNetSentryX and IPNetMonitorX come with three helper tools that each have security issues associated with them. The first two tools: RunTCPDump and RunTCPFlow allow arbitrary users to monitor the network without requiring any form of authentication or privilege. The third tool, tcpflow (executed by RunTCPFlow), contains a format string vulnerability, allowing arbitrary commands to be run as the user calling the program. Since RunTCPFlow is setuid root and will pass arguments to tcpflow, we can execute arbitrary commands as root.

tags | advisory, arbitrary, root
SHA-256 | e9e60f02bd40ae6f22a3de8966d31b5d80e4df271203a7ad9f1e8286a57adf29

Atstake Security Advisory 03-08-07.1

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



@stake, Inc.
www.atstake.com

Security Advisory

Advisory Name: Sustworks Unauthorized Network Monitoring and
tcpflow format string attack
Release Date: 08/07/2003
Application: IPNetMonitorX and IPNetSentryX
Platform: Mac OS X
Severity: Local users can sniff network traffic
Local users can become root
Author: Dave G. <daveg@atstake.com>
Vendor Status: Fix available
CVE Candidate: CVE candidate number applied for
Reference: www.atstake.com/research/advisories/2003/a080703-1.txt


Overview:

IPNetSentryX and IPNetMonitorX are network tools that provide
firewalling and general network monitoring respectively. Both of
these tools come with three helper tools that each have security
issues associated with them. The first two tools: RunTCPDump and
RunTCPFlow allow arbitrary users to monitor the network without
requiring any form of authentication or privilege. The third tool,
tcpflow (executed by RunTCPFlow), contains a format string
vulnerability, allowing arbitrary commands to be run as the user
calling the program. Since RunTCPFlow is setuid root and will pass
arguments to tcpflow, we can execute arbitrary commands as root.


Details:

RunTCPDump and RunTCPFlow are setuid root helper applications that
simply execute /usr/sbin/tcpdump and /usr/local/bin/tcpflow. These
helper applications pass all arguments to the commands they are
executing, allowing users to execute tcpdump and tcpflow however
they choose. Unfortunately, any user with interactive access to a
Mac OS X system with IPNetSentryX or IPNetMonitorX can run these
commands. This allows any user on the system to be able to view
all network traffic that pass through the vulnerable system.

For example:

bash-2.05a$ id
uid=503(dummy) gid=20(staff) groups=20(staff)
bash-2.05a$ pwd
/Applications/IPNetSentryX.app/Contents/Resources
bash-2.05a$ ./RunTCPDump -i en1 -x -v -s 4096
RunTCPDump: listening on en1
18:02:55.726143 arp who-has 192.168.0.1 tell 192.168.0.1
0001 0800 0604 0001 XXXX XXXX XXXX XXXX
0001 0000 0000 0000 c0a8 0001 0000 0000
0000 0000 0000 0000 0000 0000 0000


Additionally, tcpflow is vulnerable to a format string
vulnerability, which normally would not be a serious security
vulnerability. However, since any user on a system that has
IPNetSentryX or IPNetMonitorX and tcpflow installed can cause
tcpflow to be executed as root via RunTCPFlow, an attacker can
use this vulnerability to become root. A corresponding
@stake advisory (a080703-2) has been released on the tcpflow
format string attack.


Vendor Response:

These vulnerabilities are mitigated in the latest version of
IPNetSentryX and IPNetMonitorX available from
http://www.sustworks.com. Mitigation strategies include
stronger input validation and access control to RunTCPDump
and RunTCPFlow.


Recommendation:

Upgrade to the latest version of IPNetSentryX and tcpflow.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CVE candidate number applied for


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to jobs@atstake.com.

Copyright 2003 @stake, Inc. All rights reserved.





-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPzKp50e9kNIfAm4yEQLzUACg8NWt5xklZb72A+1x9b/a9FVC7YcAn0qp
+za7wOpXnQ6cmqlu3gEkm5ae
=sYTv
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close