[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040908045054.1530.qmail@www.securityfocus.com>
Date: 8 Sep 2004 04:50:54 -0000
From: "Jérôme" ATHIAS <jerome.athias@...amail.com>
To: bugtraq@...urityfocus.com
Subject: Insecure Temporary File Creation Vulnerability in Net-Acct
Net-Acct is a user-space daemon which generates log files of network traffic for accounting purposes. Initially created by Ulrich Callmeier, it is now worked upon occasionally by a team of volunteers on the list net-acct*CoLi.Uni-SB.DE, questions are best asked there or net-acct*exorsus.net.
Stefan Nordhausen has identified a local security hole in net-acct (all versions). It appears to be some redundant code from some time way back in the past although I'm not entirely sure. I have removed the code, since it doesn't actually appear to do anything other than create and delete a file that is referenced nowhere else. Use the patch at your own risk, until I've had some feedback telling me it works.
net-acct-notempfiles.patch : http://exorsus.net/projects/net-acct/net-acct-notempfiles.patch
For much of the functionality provided by net-acct, an alternative, http://savannah.nongnu.org/projects/ulog-acctd, exists which is considerably better at catching all the relevant packets. For the majority of problems it should be considered the preferable solution to net-acct (assuming you're on a linux 2.4 kernel of course :)
http://netacct-mysql.sourceforge.net/ is a fairly new project which is creating a completely mysql-customised version of net-acct. There's obviously a popular niche here since there seem to be a fair number of people contributing. Users looking to put their data straight into MySQL may well be served by taking a look.
Thomas Prokosch kindly donated another log summary script which can be found at http://www.nadev.net/thomas/projects/nacctstats/
Marc Haber has made available a patch for a locking problem within net-acct. If you are suffering from rare situations in which net-acct seems to spin out and grab all available cpu, this may well help.
lockpatch.txt : http://exorsus.net/projects/net-acct/lockpatch.txt
0.71 is now the latest version, changes: A patch for a small bug in the Localtime handling for those using the HUMAN_READBLE define.
We have a debian package available, thanks to Bernd Eckenfels , package page is at http://packages.debian.org/unstable/net/net-acct.html.
Known bugs
- Name based framing detection. Now, to be honest, I don't have a great idea of what exatly "framing" is, in this context, but if you know, tell me, or I'll end up figuring it out for myself when the bug list begins to annoy me :)
- Reverse masq tracking (includes patch) hopefully will go into the next version, or something :)
PLEASE NOTE The README file in the archive is out of date in some aspects, it is included for completeness however contact names, mailing list signups etc are incorrect.
http://exorsus.net/projects/net-acct/
Powered by blists - more mailing lists