[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: RE: [snort] [fyodor@insecure.org: Re: BlackICE and nmap]
From: Jerry Shenk <jas () dect ! com>
Date: 2000-05-25 1:35:46
[Download RAW message or body]
SMB alerts! I don't use 'em and can't imagine that I ever will.
===== Original Message from Martin Roesch <snort@bofh.kyrnet.kg> at 5/24/00
10:16 am
>*sigh*
>
>There is one in the SMB alert code. Fyodor pointed it out to me last
>week and I haven't had the time to patch it yet. Basically, we're
>writing to a known file in /tmp and that can be used to stomp any file
>on the system, possibly leading to root access if the attacker is good
>enough.
>
>This needs to be fixed, but it's been relatively low priority for me
>since:
>
>a) You have to do a configure-time option to even turn this code on
>
>b) SMB alerting is one of the least popular options in Snort
>
>c) This function is fantastically dangerous (and used to be noted as
>such) because it executes an external command from within a program with
>root privs (i.e. Snort) AND it's executing it through the $PATH. Can
>anyone in the class tell me why this is bad? :)
>
>d) Oh yeah, did I mention I've been on the road for the last three
>weeks, putting snort.org together, working on ARMOR (you know, my real
>job!), speaking at conferences, etc? (Lets all have a pity party...)
>:P
>
>Anyway, here's the offending code (Line 855 in log.c):
>
> /* erase the old message file */
> unlink("/tmp/.snortmsg");
>
> /* open the message file and the workstation names file */
> if (((tempmsg = fopen("/tmp/.snortmsg","w")) != NULL) &&
> ((workstations = fopen(workfile,"r")) != NULL))
> {
>
>We should be either using mkstemp(3) or recode the function to leave the
>data that goes in the .snortmsg file in memory. Does anyone know how
>portable mkstemp(3) is?
>
>Additionally, we should hard code the path to smbclient and make the
>user have to specify it at either run time or compile time (with
>configure?) to be completely safe.
>
>Can I get a show of hands as to how many people are actually using this
>code?
>
>
> -Marty
>
>
>Nelson Murilo wrote:
>>
>> Sorry if is old, but I don't remember any 'serious vulnerability',
>> recent ou not.
>>
>> ./nelson -murilo
>>
>> ----- Forwarded message from Fyodor <fyodor@insecure.org> -----
>> Return-Path: <nmap-hackers-return-738-nelson=pangeia.com.br@insecure.org>
>> Delivered-To: nelson@pangeia.com.br
>> Received: from amy.insecure.org (adsl-63-192-132-102.dsl.snfc21.pacbell.net
[63.192.132.102])
>> by spliff.pangeia.com.br (Postfix) with SMTP id 1B90D3D3D4
>> for <nelson@pangeia.com.br>; Wed, 24 May 2000 10:13:18 -0300 (EST)
>> Received: (qmail 13025 invoked by uid 508); 24 May 2000 09:41:45 -0000
>> Mailing-List: contact nmap-hackers-help@insecure.org; run by ezmlm
>> Precedence: bulk
>> Delivered-To: mailing list nmap-hackers@insecure.org
>> Delivered-To: moderator for nmap-hackers@insecure.org
>> Received: (qmail 12766 invoked by uid 500); 24 May 2000 09:39:03 -0000
>> Date: Wed, 24 May 2000 02:39:03 -0700 (PDT)
>> From: Fyodor <fyodor@insecure.org>
>> X-Sender: Fyodor <fyodor@insecure.org>
>> To: Greg Thomas <mr360@yahoo.com>
>> Cc: nmap-hackers@insecure.org
>> Subject: Re: BlackICE and nmap
>> In-Reply-To: <20000523074106.22996.qmail@web2104.mail.yahoo.com>
>> Message-ID: <Pine.LNX.4.21.0005240113000.5281-100000@amy.yuma.net>
>> MIME-Version: 1.0
>> Content-Type: TEXT/PLAIN; charset=US-ASCII
>> Sender: nmap-hackers-return-738-nelson=pangeia.com.br@insecure.org
>> Status: RO
>> Content-Length: 2900
>> Lines: 65
>>
>> [...]
>> And source code access does matter. Even if *you* don't read the code,
>> other people will and you will benefit from fixes to the holes they
>> discover. For example, a couple weeks ago I downloaded an open source IDS
>> called snort [1] . A quick source review turned up a serious
>> vulnerability. I sent it to Marty and I'll bet he has a fixed version out
>> by now. All the users benefit from those of us paranoid enough to read
>> the code.
>> [...]
>>
>> Cheers,
>> Fyodor
>>
>> PS: Now would be a good time to fill out the Nmap survey at
>> http://amy.insecure.org/nmap/nmap_survey.html :). Thanks to the 664
>> people who have already filled it out.
>>
>> [1] http://www.snort.org/
>
>--
>Martin Roesch <roesch@hiverworld.com>
>Director of Forensic Systems http://www.hiverworld.com
>Hiverworld, Inc. Continuous Adaptive Risk Management
Jerry A. Shenk - MCNE, GIAC certified intrusion analyst
Sr. Systems Engineer - Computer Networking Services
D&E Communications, Inc.
jshenk@decommunications.com
1-877-433-8632 Fax via efax: (603) 250-1453
my website: http://jerryslinux.dyndns.org/jas
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic