##Logsurfer default recommendation / configuration Remote Code Execution / Injection ##discovered by kcope when securing a box The Logsurfer program distributed by DFN CERT at http://www.dfn-cert.de/eng/logsurf/ has a ridicolous remote code execution bug in one of its mailing scripts when it is configured properly :) >>From the Homepage: ---snip--- " The program "logsurfer" was designed to monitor any text-based logfiles on your system in realtime. The large amount of loginformation collected (like all messages handled by the syslog-daemon or logfiles from your information services FTP, WWW etc.) makes it nearly impossible to check your logs manually to find any unusual activity. You need a program to do this for you. If you don't want to use a script that checks your logs in certain time intervals (like once a day) then you might be interested in the programs like swatch or logsurfer. " ---snip--- This program is also related to snort in some way. >>From http://www.snort.org/docs/faq/1Q05/node94.html: ---snip--- " 5.9 How do I get Snort to e-mail me alerts? You can't. Such a process would slow Snort down too much to make it of any use. Instead, log to syslog and use swatch or logcheck to parse over the plaintext logfiles. With the Logsurfer docs, this might get you on the road to doing something with Snort and Logsurfer: * http://www.obfuscation.org/emf/logsurfer/snort.txt JASON HAAR provided an example Swatch (3.1beta) config that emails alerts: * http://www.theadamsfamily.net/~erek/snort/snort-swatch.conf.txt Here are some docs on swatch: * http://www.oit.ucsb.edu/~eta/swatch/ * http://www.stanford.edu/~atkins/swatch * http://rr.sans.org/sysadmin/swatch.php * http://www.enteract.com/ lspitz/swatch.html * http://www.cert.org/security-improvement/implementations/i042.01.html IDS Center (see FAQ [*]) on Win32 will also mail alerts. " ---snip--- Using the logsurfer configuration files from http://www.obfuscation.org/emf/logsurfer/snort.txt (as recommended by the snort team) or the default examples from the DFN CERT is a very bad idea. This will open your network open wide because of the use of the "surfmailer" script which is recommended by the DFN CERT. The "surfmailer" script from "http://www.obfuscation.org/emf/logsurfer/surfmailer" looks as follows: --- snip --- #!/usr/bin/perl use Getopt::Std; getopts("S:r:"); my $SUBJECT = $opt_S if defined $opt_S; my $RECIPIENT = $opt_r if defined $opt_r; open OUTFILE, "|/usr/sbin/sendmail $RECIPIENT"; print OUTFILE "Subject: $SUBJECT\n\n"; while (<>) { print OUTFILE $_; } --- snip --- This perl script does an getopt on the "-r" parameter which comes from the logsurfer configuration file and then an open with a pipe character (duh!) to sendmail (to deliver the logsurfer message to a system user). Now let's take for example the postfix configuration file provided by DFN CERT at ftp://ftp.cert.dfn.de/pub/tools/audit/logsurfer/config-examples/emf/postfix.txt: ---snip--- ### ### The Postfix MTA. ### '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: warning: (.*): hostname (.*) verification failed: Host not found' - - - 0 open "$2 postfix\.*\\[$3\\]" - 1000 3600 300 report "/usr/local/bin/surfmailer -r root -S \"SMTP connect from host with broken DNS: $4 $5\"" "$2 postfix\.*\\[$3\\]" '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: connect from (.*)\[(.*)\]' - - - 0 open "$2 postfix\.*\\[$3\\]\.*$5" - 1000 3600 300 ignore '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: reject: RCPT from (.*)\[(.*)\]: 554 .* Recipient address rejected: Relay access denied' - - - 0 ignore [1]'^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: reject: RCPT from (.*)\[(.*)\]: 455 <(.*)>: Sender address rejected: Domain not found' - - - 0 rule before '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: disconnect from (.*)\[(.*)\]' - '.*' - 60 [2] report "/usr/local/bin/surfmailer -r root -S \"$2 Sender address rejected: Domain not found from $4 $5\"" "$2 postfix\.*\\[$3\\]\.*$5" '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: reject' - - - 0 rule before '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: disconnect from (.*)\[(.*)\]' - '.*' - 60 report "/usr/local/bin/surfmailer -r root -S \"$2 rejected: Unknown reasons: $4 $5\"" "$2 postfix\.*\\[$3\\]\.*$5" '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: disconnect from (.*)\[(.*)\]' - - - 0 delete "$2 postfix\.*\\[$3\\]\.*$5" 'postfix/(cleanup|qmgr)' - - - 0 ignore ---snip--- At the line marked by [1] in this configuration file snippet the regular expression checks in the system logs for rejected sender addresses of postfix. if the rule matches a "report" is sent as seen at the line marked as [2]. So when a bad guy connects to your postfix server and sends a "MAIL FROM:" line to the daemon consisting of the following string: "\"LOL -r ;touch /tmp/0wned;\""@notexisting.com the surfmailer script is run with a RECIPIENT of ";touch /tmp/0wned;" the next time the logsurfer is checking the logfiles for intrusion. This RECIPIENT lands directly in the open function of the surfmailer script and is executed! So if you use the "surfmailer" script my advise is to overthink that and write your own wrapper. This is just a configuration issue but can be a hell of a bug, since this can be exploited over different services like FTP,SSH,SMTP (depending on the logsurfer rulesets and the crazyness of the admin). 2008/kcope