exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Feb 12, 2004
Authored by Martin

aimSniff.pl 0.9b has a file deletion flaw. If the utility is run as root, a symlink attack can be used against a file in tmp to get root to remove any file on the system.

tags | advisory, root
SHA-256 | d35abb58d182e2ac03ec120bfbe800992445c733034160f3f66e0705ad173573


Change Mirror Download

aimSniff.pl 0.9b file "deletion" (local)

Martin (broadcast@mail.ptraced.net)

Program Description

Excerpt from the README file follows:

"AIM Sniff is a utility for monitoring and archiving AOL Instant Messenger
messages across a network. You can either do a live dump (actively sniff the
network) or read a PCAP file and parse the file for IM messages. You also have
the option of dumping the information to a MySQL database or STDOUT.

Another part of AIM Sniff is WAS (Web AIM Sniff) that is available as a separate
download. This is a web page front end to view and generate reports of captured
AIM conversations. This is expected to include the ability to see all conversations
from an IP address, AIM handle, NT Username, conversations between certain time periods.
It will allow administrators to see how often users are chatting to monitor for
abuse. You can also use AIM Sniff to monitor for cases of harassment or warez trading."

Program available at www.aimsniff.com

Intended audience:

"... The program was designed for network security specialist who have a deep understanding of network topology and the inner workings of internet protocols. Any network security specialist who is worth his weight uses unix in some variety or flavor ..."

Problem Description

[martin@localhost aimsniff-0.9b]$ grep -n \$debug2 aimSniff.pl
55:my $debug2=1;
1312: if($debug2){

$debug2 never gets modified, so that condition is always true.

sub LeaveNow{
log_msg("Child exiting");
open(LOG,">/tmp/AS.log") or die "Could not open debug file: $^E\n"; #(a)
print LOG "$debugmsg\n"; #(b)

Therefore, whenever LeaveNow is called, (a) and (b) will happen.

sub start_AS {

if ($daemonMode == 1)
#and right before the end of the procedure:

And when start_AS is called, LeaveNow will eventually be called.

The problem lies in (a) and (b). Excerpt from perlfunc related to open() follows:

"...If MODE is ">", the file is truncated and opened for output, being created if necessary..."

Since the file is supposed to be in /tmp, and attacker can create a symlink to any file he wants "erased". To sniff any traffic, this perl script has to be ran as root, so the local attacker can do it to any file. The file won't be really erased, but the original contents of it will be substituted with one of the following sentences:

[martin@localhost aimsniff-0.9b]$ grep \$debugmsg= aimSniff.pl
my $debugmsg="";
$debugmsg="AIM Message";
$debugmsg="Incoming Message";
$debugmsg="Outgoing Message";
$debugmsg="File Xfer";
$debugmsg="AIM Login";
$debugmsg="Version Information";
$debugmsg="Got Version";
$debugmsg="Chat Info";
$debugmsg="Got Chats";
$debugmsg="Chat join";
$debugmsg="Got chat join";
$debugmsg="Get Buddies";
$debugmsg="Got Buddies";
$debugmsg="Get other buddies";
$debugmsg="got buddies";

Possible Solutions

change (a) into unlink("/tmp/AS.log"); sysopen(FH,"/tmp/AS.log",O_WRONLY|O_EXECL|O_CREAT,0600);

Vendor Contacted

11/02/03 - Contacted, updated the same day.

Official Fix

Version upgrade available at http://sourceforge.net/project/showfiles.php?group_id=61413
Download 0.9d
Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By