Re: Nlog v1.0 Released - Nmap 2.x log management / analyzing tool

• Previous message: der Mouse: "Re: Security Flaw in Cookies Implementation"
• Maybe in reply to: HD Moore: "Nlog v1.0 Released - Nmap 2.x log management / analyzing tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi,

there is still several security holes in the nlog cgi scripts that allow
arbitary execution of commands..

one such vulnerability is here in rpc-nlog.pl:

$ipaddr = $ENV{'QUERY_STRING'};
$ipaddr =~ s/\n//g;
$ipaddr =~ s/\`//g;
$ipaddr =~ s/\'//g;
$ipaddr =~ s/\|//g;
$ipaddr =~ s/\"//g;
$ipaddr =~ s/\<//g;
$ipaddr =~ s/\>//g;
$rpcdata = `$rpcinfo -p $ipaddr`;

this is insufficient checking as it does not include ; and / for
example, so a user can put in a command separator and execute commands
that way..

duke

>
> n l o g    -  nmap 2.x log management and analyzer toolkit
> ----------------------------------------------------------------------------
> --
>
> Download and Live Demo at:   http://owned.commotion.org/~spinux
>
> >From the README:
> ----------------------------
>
> NLog is a set of PERL scripts for managing and analyzing your nmap 2.0+ log
> files.  It allows you to keep all of your scan logs in a single searchable
> database.  The CGI interface for viewing your scan logs is completly
> customizable and easy to modify and improve.  The core CGI script allows you
> to add your own extension  scripts for different services, so all hosts with
> a certain service running will have a hyperlink to the extension script.
>
> An Overview:
> ------------------
>
> Basically this is a multi-purpose web-based nmap log browser.  The extension
> scripts allow you to get detailed information about specific services like
> netbios, the RPC services, the finger service, and BIND version of a DNS
> server.  It is extremely easy to create your own extensions for things like
> a snmpwalk wrapper, a popper vulnerablility check, etc.
>
> Nlog provides a standard database format to build your own scripts for any
> purpose.  Whether to provide a graphical representation of a network or as a
> web based service gateway to an internal network.  Included are the example
> CGI scripts, the nmap log to database conversion tool, a sample template for
> building your own PERL scripts, and couple extra scripts for dumping IP's
> from a domain and the like.
>
> A possible use of nlog is for a network administrator who scans his local
> network regularly, to make sure none of the machines are listening on wierd
> ports and that they all are running the services they should be.  A cron
> script could scan his internal network, convert the log files to the
> database format and store them on a web server by time or date.  The
> adminstrator could then load the nlog search form page preferably protected
> by the normal http authentication methods and run comparisons between
> databases collected on different dates or at different times from anywhere.
> If the web server is on a gateway machine, he could run RPC or finger
> requests on the internal hosts through the CGI interface thus removing his
> need to be on the possibly firewalled or masqued network to check a hosts
> status.
>
> This code is being released under no type of copyright.  I only ask that if
> you are to use this in a commercial product, give me credit for the work
> I've done.
>
> --HD

• Next message: Dana Jones: "Vulnerability"
• Previous message: der Mouse: "Re: Security Flaw in Cookies Implementation"
• Maybe in reply to: HD Moore: "Nlog v1.0 Released - Nmap 2.x log management / analyzing tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:20 PDT