'RE: [snort] [fyodor@insecure.org: Re: BlackICE and nmap]'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    RE: [snort] [fyodor@insecure.org: Re: BlackICE and nmap]
From:       Jerry Shenk <jas () dect ! com>
Date:       2000-05-25 1:35:46
[Download RAW message or body]

SMB alerts! I don't use 'em and can't imagine that I ever will.

===== Original Message from Martin Roesch <snort@bofh.kyrnet.kg> at 5/24/00 
10:16 am
>*sigh*
>
>There is one in the SMB alert code.  Fyodor pointed it out to me last
>week and I haven't had the time to patch it yet.  Basically, we're
>writing to a known file in /tmp and that can be used to stomp any file
>on the system, possibly leading to root access if the attacker is good
>enough.
>
>This needs to be fixed, but it's been relatively low priority for me
>since:
>
>a) You have to do a configure-time option to even turn this code on
>
>b) SMB alerting is one of the least popular options in Snort
>
>c) This function is fantastically dangerous (and used to be noted as
>such) because it executes an external command from within a program with
>root privs (i.e. Snort) AND it's executing it through the $PATH.  Can
>anyone in the class tell me why this is bad? :)
>
>d) Oh yeah, did I mention I've been on the road for the last three
>weeks, putting snort.org together, working on ARMOR (you know, my real
>job!), speaking at  conferences, etc?  (Lets all have a pity party...)
>:P
>
>Anyway, here's the offending code (Line 855 in log.c):
>
>    /* erase the old message file */
>    unlink("/tmp/.snortmsg");
>
>    /* open the message file and the workstation names file */
>    if (((tempmsg = fopen("/tmp/.snortmsg","w")) != NULL) &&
>        ((workstations = fopen(workfile,"r")) != NULL))
>    {
>
>We should be either using mkstemp(3) or recode the function to leave the
>data that goes in the .snortmsg file in memory.  Does anyone know how
>portable mkstemp(3) is?
>
>Additionally, we should hard code the path to smbclient and make the
>user have to specify it at either run time or compile time (with
>configure?) to be completely safe.
>
>Can I get a show of hands as to how many people are actually using this
>code?
>
>
>     -Marty
>
>
>Nelson Murilo wrote:
>>
>> Sorry if is old, but I don't remember any 'serious vulnerability',
>> recent ou not.
>>
>> ./nelson -murilo
>>
>> ----- Forwarded message from Fyodor <fyodor@insecure.org> -----
>> Return-Path: <nmap-hackers-return-738-nelson=pangeia.com.br@insecure.org>
>> Delivered-To: nelson@pangeia.com.br
>> Received: from amy.insecure.org (adsl-63-192-132-102.dsl.snfc21.pacbell.net 
[63.192.132.102])
>>         by spliff.pangeia.com.br (Postfix) with SMTP id 1B90D3D3D4
>>         for <nelson@pangeia.com.br>; Wed, 24 May 2000 10:13:18 -0300 (EST)
>> Received: (qmail 13025 invoked by uid 508); 24 May 2000 09:41:45 -0000
>> Mailing-List: contact nmap-hackers-help@insecure.org; run by ezmlm
>> Precedence: bulk
>> Delivered-To: mailing list nmap-hackers@insecure.org
>> Delivered-To: moderator for nmap-hackers@insecure.org
>> Received: (qmail 12766 invoked by uid 500); 24 May 2000 09:39:03 -0000
>> Date: Wed, 24 May 2000 02:39:03 -0700 (PDT)
>> From: Fyodor <fyodor@insecure.org>
>> X-Sender: Fyodor <fyodor@insecure.org>
>> To: Greg Thomas <mr360@yahoo.com>
>> Cc: nmap-hackers@insecure.org
>> Subject: Re: BlackICE and nmap
>> In-Reply-To: <20000523074106.22996.qmail@web2104.mail.yahoo.com>
>> Message-ID: <Pine.LNX.4.21.0005240113000.5281-100000@amy.yuma.net>
>> MIME-Version: 1.0
>> Content-Type: TEXT/PLAIN; charset=US-ASCII
>> Sender: nmap-hackers-return-738-nelson=pangeia.com.br@insecure.org
>> Status: RO
>> Content-Length: 2900
>> Lines: 65
>>
>> [...]
>> And source code access does matter.  Even if *you* don't read the code,
>> other people will and you will benefit from fixes to the holes they
>> discover.  For example, a couple weeks ago I downloaded an open source IDS
>> called snort [1] .  A quick source review turned up a serious
>> vulnerability.  I sent it to Marty and I'll bet he has a fixed version out
>> by now.  All the users benefit from those of us paranoid enough to read
>> the code.
>> [...]
>>
>> Cheers,
>> Fyodor
>>
>> PS:  Now would be a good time to fill out the Nmap survey at
>> http://amy.insecure.org/nmap/nmap_survey.html :).  Thanks to the 664
>> people who have already filled it out.
>>
>> [1] http://www.snort.org/
>
>--
>Martin Roesch                      <roesch@hiverworld.com>
>Director of Forensic Systems     http://www.hiverworld.com
>Hiverworld, Inc.       Continuous Adaptive Risk Management

Jerry A. Shenk - MCNE, GIAC certified intrusion analyst
Sr. Systems Engineer - Computer Networking Services
D&E Communications, Inc.
jshenk@decommunications.com
1-877-433-8632 Fax via efax: (603) 250-1453
my website: http://jerryslinux.dyndns.org/jas

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic