[UNIX] SnortCenter Temporary File Vulnerability

From: support@securiteam.com
Date: 11/06/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 6 Nov 2002 23:03:46 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  SnortCenter Temporary File Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://users.pandora.be/larc/> SnortCenter is a PHP based tool for
aggregating many snort sensors into one place to make it easy to keep
rules and configurations synchronized. A vulnerability causes temporary
files to created by the program to be completely predictable, allowing
local users to compromise the SnortCenter server.

DETAILS

Vulnerable systems:
 * SnortCenter version 0.9.5 and prior

Immune systems:
 * SnortCenter version 0.9.6

Upon choosing to "push" the rules out to a particular sensor, a file is
created in the temp directory with the same name as the sensor. So, if
your sensor is named "hal" and you push the rules out to it, on the web
server, a file is created /tmp/hal. With permissions 777. This means that
*anyone* with access to the SnortCenter server's /tmp directory could read
the sensor configuration files, among other fun /tmp games. Interesting
bits in these files include the usernames/passwords/addresses of the alert
database servers.

Fix:
Version 0.9.6 has been recently released, and should be upgraded to.
Additionally Clint has attached a patch for 0.9.5 that uses a more random
name (not sure of the security of php4's tempnam() function), and secure
permissions on the file. You can get version 0.9.6 at SnortCenter's home
page.

Patch:
--- snortcenter.orig/sensor.inc.php Sat Aug 24 06:26:14 2002
+++ snortcenter/sensor.inc.php Tue Oct 1 13:48:44 2002
@@ -19,6 +19,9 @@
 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
USA.
 */
 
+
+global $senstmpfnam;
+
 function find_interface_pid($id,$db) {
     $result = $db->acidExecute("select cmd_line, interface from sensor
where id ='$id'");
     $myrow = $result->acidFetchRow();
@@ -135,7 +138,7 @@
 }
 
 function create_config($sensor_export, $sensor_id, $db) {
-
+global $senstmpfnam;
 sync_group($sensor_id,$db);
 
 global $snortcenter_ver;
@@ -145,7 +148,9 @@
     $result = $db->acidExecute("select sensor_name from sensor where
id='$sensor_id'");
     $myrow = $result->acidFetchRow();
     $sensor_name = $myrow[0];
- echo "<FONT size=1>";
+ if($sensor_export != 'download') {
+ echo "<FONT size=1>";
+ }
     $result_id = $db->acidExecute("SELECT sid from rulechange where
sensor_id='$sensor_id'");
     while ($myrow = $result_id->acidFetchRow())
     {
@@ -155,10 +160,12 @@
 
 if (($sensor_export == 'download') || ($sensor_export == 'push')){
     if (strpos($_SERVER["SERVER_SOFTWARE"], "Win") !== false) {
- $fp = fopen ("c:/temp/$sensor_name", "w");
+ $senstmpfnam = tempnam("c:/temp",$sensor_name);
+ $fp = fopen ($senstmpfnam, "w");
     }
     else {
- $fp = fopen ("/tmp/$sensor_name", "w");
+ $senstmpfnam = tempnam("/tmp",$sensor_name);
+ $fp = fopen ($senstmpfnam, "w");
     }
 }
 
@@ -685,7 +692,7 @@
                 if ($sensor_export == 'view') { echo "<BR>"; }
 # }
 
-echo "</FONT>";
+if($sensor_export != 'download') { echo "</FONT>";}
 }
 return $sensor_name;
 }
--- snortcenter.orig/sensor.php Sat Aug 24 12:29:53 2002
+++ snortcenter/sensor.php Tue Oct 1 12:38:26 2002
@@ -130,11 +130,13 @@
     $sensor_name = create_config("push", $id, $db);
     if (strpos($_SERVER["SERVER_SOFTWARE"], "Win") !== false) {
         if ($curl_path !='') { $curl_path = rtrim($curl_path,'\\') . '\\'; }
- $filename= "c:/temp/$sensor_name";
+ #$filename= "c:/temp/$sensor_name";
+ $filename=$senstmpfnam;
     }
     else {
         if ($curl_path !='') { $curl_path = rtrim($curl_path,'/') . '/'; }
- $filename= "/tmp/$sensor_name";
+ #$filename= "/tmp/$sensor_name";
+ $filename=$senstmpfnam;
     }
     $r_option = find_interface_pid($id,$db);
     exec($curl_path."curl -s -S --connect-timeout $curl_timeout -F
\"interface=$myrow[interface]\" -F \"r_option=$r_option\" -F
upload=@\"$filename\" $url 2>&1", $return_string);
@@ -143,6 +145,7 @@
     }
     $cmd_err = push_cmd_line($id,$db);
     $sensor_msg = "$line<BR>$cmd_err";
+ unlink($filename);
 }
 
 
@@ -361,7 +364,7 @@
 require('bottom.inc.php');
 
 if ($sensor_ctl == 'download'){
- echo '<SCRIPT
language=javascript>setTimeout("location.href=\'dl.php?sensor_name='.$sensor_name.'\'",0);</SCRIPT>';
+ echo '<SCRIPT
language=javascript>setTimeout("location.href=\'dl.php?sensor_name='.$sensor_name.'&id='.$id.'\'",0);</SCRIPT>';
 }
 
 ?>
--- snortcenter.orig/dl.php Wed Aug 7 10:46:41 2002
+++ snortcenter/dl.php Tue Oct 1 13:50:00 2002
@@ -1,15 +1,16 @@
 <?php
 if ($sensor_name)
 {
+ include("config.php");
+ include("sensor.inc.php");
+ $db = NewACIDDBConnection($DBlib_path,$DBtype);
+ $db->acidConnect($DB_dbname,$DB_host,$DB_port,$DB_user,$DB_password);
+ create_config("download",$id,$db);
     global $HTTP_USER_AGENT;
- if (strpos($_SERVER["SERVER_SOFTWARE"], "Win") !== false) {
- $download="c:/temp/$sensor_name";
- }
- else {
- $download="/tmp/$sensor_name";
- }
+ global $senstmpfnam;
+ #$download="/tmp/$sensor_name";
     $name= $sensor_name. '.snort.conf';
- $size=filesize($download);
+ $size=filesize($senstmpfnam);
 
     header("Content-Type: application/octet-steam");
     header("Content-Type: application/force-download");
@@ -23,6 +24,7 @@
 {
     header("Content-Disposition: attachment; filename=".$name);
 }
- readfile($download);
+ readfile($senstmpfnam);
+ unlink($senstmpfnam);
 }
 ?>

ADDITIONAL INFORMATION

The information has been provided by <mailto:cbyrum@spamaps.org> Clint
Byrum.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages