aimSniff.pl 0.9b file "deletion" (local) Martin (broadcast@mail.ptraced.net) ------------------- Program Description ------------------- Excerpt from the README file follows: "AIM Sniff is a utility for monitoring and archiving AOL Instant Messenger messages across a network. You can either do a live dump (actively sniff the network) or read a PCAP file and parse the file for IM messages. You also have the option of dumping the information to a MySQL database or STDOUT. Another part of AIM Sniff is WAS (Web AIM Sniff) that is available as a separate download. This is a web page front end to view and generate reports of captured AIM conversations. This is expected to include the ability to see all conversations from an IP address, AIM handle, NT Username, conversations between certain time periods. It will allow administrators to see how often users are chatting to monitor for abuse. You can also use AIM Sniff to monitor for cases of harassment or warez trading." Program available at www.aimsniff.com Intended audience: "... The program was designed for network security specialist who have a deep understanding of network topology and the inner workings of internet protocols. Any network security specialist who is worth his weight uses unix in some variety or flavor ..." ------------------- Problem Description ------------------- [martin@localhost aimsniff-0.9b]$ grep -n \$debug2 aimSniff.pl 55:my $debug2=1; 1312: if($debug2){ $debug2 never gets modified, so that condition is always true. sub LeaveNow{ log_msg("Child exiting"); if($debug2){ open(LOG,">/tmp/AS.log") or die "Could not open debug file: $^E\n"; #(a) print LOG "$debugmsg\n"; #(b) close(LOG); } #.... } Therefore, whenever LeaveNow is called, (a) and (b) will happen. sub start_AS { &open_syslog(); if ($daemonMode == 1) { $SIG{'QUIT'}=\&LeaveNow; $SIG{'INT'}=\&LeaveNow; $SIG{'HUP'}=\&dump_child_stats; } #.... #and right before the end of the procedure: #.... &LeaveNow; } } And when start_AS is called, LeaveNow will eventually be called. The problem lies in (a) and (b). Excerpt from perlfunc related to open() follows: "...If MODE is ">", the file is truncated and opened for output, being created if necessary..." Since the file is supposed to be in /tmp, and attacker can create a symlink to any file he wants "erased". To sniff any traffic, this perl script has to be ran as root, so the local attacker can do it to any file. The file won't be really erased, but the original contents of it will be substituted with one of the following sentences: [martin@localhost aimsniff-0.9b]$ grep \$debugmsg= aimSniff.pl my $debugmsg=""; $debugmsg="AIM Message"; $debugmsg="Incoming Message"; $debugmsg="Outgoing Message"; $debugmsg="File Xfer"; $debugmsg="AIM Login"; $debugmsg="Version Information"; $debugmsg="Got Version"; $debugmsg="Chat Info"; $debugmsg="Got Chats"; $debugmsg="Chat join"; $debugmsg="Got chat join"; $debugmsg="Get Buddies"; $debugmsg="Got Buddies"; $debugmsg="Get other buddies"; $debugmsg="got buddies"; ------------------ Possible Solutions ------------------ change (a) into unlink("/tmp/AS.log"); sysopen(FH,"/tmp/AS.log",O_WRONLY|O_EXECL|O_CREAT,0600); ---------------- Vendor Contacted ---------------- 11/02/03 - Contacted, updated the same day. ------------ Official Fix ------------ Version upgrade available at http://sourceforge.net/project/showfiles.php?group_id=61413 Download 0.9d