[NEWS] Sustworks Unauthorized Network Monitoring and tcpflow Format String Attack

From: SecuriTeam (support_at_securiteam.com)
Date: 08/10/03

  • Next message: SecuriTeam: "[NT] Meteor FTP Remote Denial of Service Vulnerability" 
    To: list@securiteam.com
Date: 10 Aug 2003 17:01:53 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Get Thawte's New Step-by-Step SSL Guide for MSIIS

    In this guide you will find out how to test, purchase, install
    and use a Thawte Digital Certificate on your MSIIS web server.
    Throughout, best practices for set-up are highlighted to help you
    ensure efficient ongoing management of your encryption keys and digital
    certificates. Get your copy of this new guide now:
    http://ad.doubleclick.net/clk;5903126;8265119;j

    - - - - - - - - -

      Sustworks Unauthorized Network Monitoring and tcpflow Format String Attack
    ------------------------------------------------------------------------

    SUMMARY

    IPNetSentryX and IPNetMonitorX are network tools that provide Firewalling
    and general network monitoring respectively. Both of these tools come with
    three helper tools that each has security issues associated with them. The
    first two tools: RunTCPDump and RunTCPFlow allow arbitrary users to
    monitor the network without requiring any form of authentication or
    privilege. The third tool, tcpflow (executed by RunTCPFlow), contains a
    format string vulnerability, allowing arbitrary commands to be run as the
    user calling the program. Since RunTCPFlow is setuid root and will pass
    arguments to tcpflow, we can execute arbitrary commands as root.

    DETAILS

    RunTCPDump and RunTCPFlow are setuid root helper applications that simply
    execute /usr/sbin/tcpdump and /usr/local/bin/tcpflow. These helper
    applications pass all arguments to the commands they are executing,
    allowing users to execute tcpdump and tcpflow however, they choose.
    Unfortunately, any user with interactive access to a Mac OS X system with
    IPNetSentryX or IPNetMonitorX can run these commands. This allows any user
    on the system to be able to view all network traffic that pass through the
    vulnerable system.

    For example:
    bash-2.05a$ id
    uid=503(dummy) gid=20(staff) groups=20(staff)
    bash-2.05a$ pwd /Applications/IPNetSentryX.app/Contents/Resources
    bash-2.05a$ ./RunTCPDump -i en1 -x -v -s 4096
    RunTCPDump: listening on en1
    18:02:55.726143 arp who-has 192.168.0.1 tell 192.168.0.1
                             0001 0800 0604 0001 XXXX XXXX XXXX XXXX
                             0001 0000 0000 0000 c0a8 0001 0000 0000
                             0000 0000 0000 0000 0000 0000 0000

    Additionally, tcpflow is vulnerable to a format string vulnerability,
    which normally would not be a serious security vulnerability. However,
    since any user on a system that has IPNetSentryX or IPNetMonitorX and
    tcpflow installed can cause tcpflow to be executed as root via RunTCPFlow,
    an attacker can use this vulnerability to become root. A corresponding
    @stake advisory (a080703-2) has been released on the tcpflow format string
    attack.

    Vendor Response:
    These vulnerabilities are mitigated in the latest version of IPNetSentryX
    and IPNetMonitorX available from <http://www.sustworks.com>
    http://www.sustworks.com. Mitigation strategies include stronger input
    validation and access control to RunTCPDump and RunTCPFlow.

    Recommendation:
    Upgrade to the latest version of IPNetSentryX and tcpflow.

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
    <www.atstake.com/research/advisories/2003/a080703-1.txt>
    www.atstake.com/research/advisories/2003/a080703-1.txt.

    The information has been provided by <mailto:daveg@atstake.com> Dave G..

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Meteor FTP Remote Denial of Service Vulnerability"