##Logsurfer default recommendation / configuration Remote Code Execution / Injection
##discovered by kcope when securing a box

The Logsurfer program distributed by DFN CERT at http://www.dfn-cert.de/eng/logsurf/
has a ridicolous remote code execution bug in one of its mailing scripts when it is configured properly :)

>From the Homepage:
---snip---
"
The program "logsurfer" was designed to monitor any text-based logfiles on your
system in realtime. The large amount of loginformation collected
(like all messages handled by the syslog-daemon or logfiles from your
information services FTP, WWW etc.) makes it nearly impossible to check your
logs manually to find any unusual activity. You need a program to do this for you.
If you don't want to use a script that checks your logs in certain time intervals
(like once a day) then you might be interested in the programs like swatch or logsurfer.
"
---snip---

This program is also related to snort in some way.
>From http://www.snort.org/docs/faq/1Q05/node94.html:

---snip---
"
5.9 How do I get Snort to e-mail me alerts?

You can't. Such a process would slow Snort down too much to make it of any use.
Instead, log to syslog and use swatch or logcheck to parse over the plaintext logfiles.

With the Logsurfer docs, this might get you on the road to doing something with Snort and Logsurfer:

    * http://www.obfuscation.org/emf/logsurfer/snort.txt

JASON HAAR provided an example Swatch (3.1beta) config that emails alerts:

    * http://www.theadamsfamily.net/~erek/snort/snort-swatch.conf.txt

Here are some docs on swatch:

    * http://www.oit.ucsb.edu/~eta/swatch/
    * http://www.stanford.edu/~atkins/swatch
    * http://rr.sans.org/sysadmin/swatch.php
    * http://www.enteract.com/ lspitz/swatch.html
    * http://www.cert.org/security-improvement/implementations/i042.01.html

IDS Center (see FAQ [*]) on Win32 will also mail alerts.
"
---snip---

Using the logsurfer configuration files from http://www.obfuscation.org/emf/logsurfer/snort.txt
(as recommended by the snort team) or the default examples from the DFN CERT is a very bad idea.
This will open your network open wide because of the use of the "surfmailer" script which is 
recommended by the DFN CERT.

The "surfmailer" script from "http://www.obfuscation.org/emf/logsurfer/surfmailer" looks as follows:

--- snip ---
#!/usr/bin/perl
use Getopt::Std;

getopts("S:r:");

my $SUBJECT = $opt_S if defined $opt_S;
my $RECIPIENT = $opt_r if defined $opt_r;

open OUTFILE, "|/usr/sbin/sendmail $RECIPIENT";

print OUTFILE "Subject: $SUBJECT\n\n";
while (<>) {
  print OUTFILE $_;
}
--- snip ---

This perl script does an getopt on the "-r" parameter which comes from the logsurfer configuration file
and then an open with a pipe character (duh!) to sendmail (to deliver the logsurfer message to a system user).

Now let's take for example the postfix configuration file provided by DFN CERT at
ftp://ftp.cert.dfn.de/pub/tools/audit/logsurfer/config-examples/emf/postfix.txt:

---snip---
   ###
   ### The Postfix MTA.
   ###
   '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: warning: (.*): hostname (.*) verification failed: Host not found' - - - 0
           open "$2 postfix\.*\\[$3\\]" - 1000 3600 300
           report "/usr/local/bin/surfmailer -r root -S \"SMTP connect from host with broken DNS: $4 $5\"" "$2 postfix\.*\\[$3\\]"

   '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: connect from (.*)\[(.*)\]' - - - 0
           open "$2 postfix\.*\\[$3\\]\.*$5" - 1000 3600 300
           ignore

   '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: reject: RCPT from (.*)\[(.*)\]: 554 .* Recipient address rejected: Relay access denied' - - - 0 ignore

[1]'^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: reject: RCPT from (.*)\[(.*)\]: 455 <(.*)>: Sender address rejected: Domain not found' - - - 0
           rule before
           '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: disconnect from (.*)\[(.*)\]' - '.*' - 60
[2]                report "/usr/local/bin/surfmailer -r root -S \"$2 Sender address rejected: Domain not found from $4 $5\"" "$2 postfix\.*\\[$3\\]\.*$5"

   '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: reject' - - - 0
           rule before
           '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: disconnect from (.*)\[(.*)\]' - '.*' - 60
                   report "/usr/local/bin/surfmailer -r root -S \"$2 rejected: Unknown reasons: $4 $5\"" "$2 postfix\.*\\[$3\\]\.*$5"


   '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: disconnect from (.*)\[(.*)\]' - - - 0
           delete "$2 postfix\.*\\[$3\\]\.*$5"

   'postfix/(cleanup|qmgr)' - - - 0 ignore
---snip---


At the line marked by [1] in this configuration file snippet the regular expression checks in the system logs for
rejected sender addresses of postfix. if the rule matches a "report" is sent as seen at the line marked as [2].
So when a bad guy connects to your postfix server and sends a "MAIL FROM:" line to the daemon consisting of the
following string: "\"LOL -r ;touch /tmp/0wned;\""@notexisting.com
the surfmailer script is run with a RECIPIENT of ";touch /tmp/0wned;" the next time the logsurfer is checking the logfiles for intrusion.
This RECIPIENT lands directly in the open function of the surfmailer script and is executed!

So if you use the "surfmailer" script my advise is to overthink that and write your own wrapper.
This is just a configuration issue but can be a hell of a bug, since this can be exploited over different services like FTP,SSH,SMTP
(depending on the logsurfer rulesets and the crazyness of the admin).

2008/kcope

-- 
Psssst! Schon vom neuen GMX MultiMessenger gehört?
Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger