lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 25 Jun 2003 15:10:54 -0500
From: Nik Reiman <nik@...leo.net>
To: bugtraq@...urityfocus.com
Subject: various portmon vulnerabilities


Ok, I have released portmon 1.9, which addresses both of the security 
"holes" which were brought up on bugtraq recently.  Please see:

http://www.securityfocus.com/archive/82/326718
http://www.securityfocus.com/archive/1/325482

It is important to note that portmon is (and never was) installed SUID 
by default, for obvious reasons.  In fact, the --enable-setuid option 
in the configure script printed out a nasty warning regarding the 
nature of SUID programs.
So, as of version 1.8, portmon does not come with the --enable-setuid 
option.  If the user is hellbent on running portmon as a lower level 
user, then they can chmod +s it by hand. ;]
Regarding the gobbles-esque "overflow" that was posted today (25 Jun 
03), this particular bug isn't exactly exploitable and can't be used to 
gain elevated privileges on the target system.  As the author of the 
exploit expressed to me in an email:

   export USER=l33t
   which create many a stress for admin if they find this in the log !
   but your right, is not a M A J OR concern.  thanx n1xo ! !

I would like to clarify two things about this advisory:
- This segfault has been corrected as of version 1.9.  Please see 
http://aboleo.net/software/portmon/downloads for updates.
- This particular bug, when "exploited" as the author suggests, 
produces the following output to a portmon log:

envy:~/portmon/src$ export USER=l33t
envy:~/portmon/src$ ./portmon -c /usr/local/etc/hosts -l temp.log -d
envy:~/portmon/src$ head -1 temp.log
(Wed Jun 25 14:57:11 2003) - Portmon started by user l33t

While I find it odd that something like this might be considered to be 
a security vulnerability, I should note that the $USER environment 
variable is not used in any other places in the code.  So while users 
of portmon are encouraged to upgrade to the latest and greatest 
version, anyone running portmon nonsuid (default) is not vulnerable to 
local exploitation by either of these bugs.

-Nik
--
|| Nik Reiman || nik@...leo.net || http://www.aboleo.net ||

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ