[UNIX] AIM Sniff File Replacing Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 02/16/04

  • Next message: SecuriTeam: "[EXPL] Rsync Buffer Overflow (RSYNC_PROXY Environment Variable) Exploit" 
    To: list@securiteam.com
Date: 16 Feb 2004 11:21:22 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      AIM Sniff File Replacing Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.aimsniff.com> AIM Sniff is a utility for monitoring and
    archiving AOL Instant Messenger messages across a network. You can either
    do a live dump (actively sniff the network) or read a PCAP file and parse
    the file for IM messages. You also have the option of dumping the
    information to a MySQL database or STDOUT."

    A bug exists in AIM Sniff that allows a local user to replace any file's
    contents on the system with debug messages.

    DETAILS

    Vulnerable Systems:
     * AIM Sniff version 0.9b

    Immune Systems:
     * AIM Sniff version 0.9d

    A problem in the way the PERL program handles debug output can lead to
    arbitrary file "deletion". The files aren't really deleted but their
    contents gets replaced with debug messages from the program. The first
    condition to notice is that a certain debug variable is always turned on:

    $ grep -n \$debug2 aimSniff.pl
    55:my $debug2=1;
    1312: ? ?if($debug2){

    $debug2 never gets modified, so that condition is always true.

    sub LeaveNow{
        log_msg("Child exiting");
        if($debug2){
            open(LOG,">/tmp/AS.log") or die "Could not open debug file:
    $^E\n"; #(a)
            print LOG "$debugmsg\n";
                                         #(b)
            close(LOG);
        }
    #....
    }

    Therefore, whenever LeaveNow is called, the two statements, (a) and (b)
    are always executed. Another code excerpt:

    sub start_AS {
              &open_syslog();

              if ($daemonMode == 1)
              {
                      $SIG{'QUIT'}=\&LeaveNow;
                      $SIG{'INT'}=\&LeaveNow;
                      $SIG{'HUP'}=\&dump_child_stats;
              }
    #....
    #and right before the end of the procedure:
    #....
                &LeaveNow;
            }
    }

    Whenever start_AS is called, LeaveNow eventually gets called as well. The
    problem lies in the LeaveNow subroutine. Following is an excerpt from
    perlfunc in relation to the open() function:

    "...If MODE is ">", the file is truncated and opened for output, being
    created if necessary..."

    Since the file is supposed to be in /tmp, an attacker can create a symlink
    to any file he/she wants "erased". To sniff any traffic, the PERL program
    has to run as root, so the local attacker can replace any file. The file
    won't really be erased, but the original contents of it will be
    substituted with one of the following sentences:

    $ grep \$debugmsg= aimSniff.pl
    my $debugmsg="";
    $debugmsg="AIM Message";
    $debugmsg="Incoming Message";
    $debugmsg="Outgoing Message";
    $debugmsg="File Xfer";
    $debugmsg="AIM Login";
    $debugmsg="Version Information";
    $debugmsg="Got Version";
    $debugmsg="Chat Info";
    $debugmsg="Got Chats";
    $debugmsg="Chat join";
    $debugmsg="Got chat join";
    $debugmsg="Get Buddies";
    $debugmsg="Got Buddies";
    $debugmsg="Get other buddies";
    $debugmsg="got buddies";

    Patch Availability:
    One way is to change the problematic line (a) into:

    unlink("/tmp/AS.log");
    sysopen(FH,"/tmp/AS.log",O_WRONLY|O_EXECL|O_CREAT,0600);

    However, the vendor was contacted at 11/02/2004 and a
    <http://sourceforge.net/project/showfiles.php?group_id=61413> new version
    was released the same day.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:broadcast@mail.ptraced.net>
    Martin.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Rsync Buffer Overflow (RSYNC_PROXY Environment Variable) Exploit"