Nlog 1.1b released - security holes fixed

From: HD Moore (hdmooreat_private)
Date: Sat Dec 26 1998 - 13:56:17 PST

Next message: Spencer Portee - Yard Productions: "referer problems..."

Previous message: Alan Cox: "Re: Why you should avoid world-writable directories"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The update to 1.1 had been released prior to Duke's post.

The latest version of this writing is 1.1b, this is available from
http://owned.comotion.org/~spinux/index.html .
2.0 is under development now, with more extensions, more output options,
better search criteria, a centralized configuration, and a configuration
script.

The vulnerabilities have been fixed by a IPaddress pattern matching function
called checkip() in nlog-config.ph.  This only allows input to the extension
scripts in the format of NNN.NNN.NNN.NNN, where N is a number between 0 and
9.

As of version 1.1b, there are NO known holes in the nlog scripts.

-- 1.1b update --
Fixed a minor security hole that would allow a malicious user to change his
netbios name to something like ;COMMAND; and then scan himself with
nlog-smb.pl, the UPPERCASE name would be executed on the server by the
nobody user (on most systems).  This vulnerability was discovered by Peter
Dijk and he also added some changes to the output to format it better in
modern browsers.

-- 1.1 update --
Fixed all the IP checking routines by calling checkip() before allowing that
to be passed to the command line, with an option to log attempts to run
commands on the server.

Duke Wrote :

>there is still several security holes in the nlog cgi scripts that allow
>arbitary execution of commands..
>
>one such vulnerability is here in rpc-nlog.pl:
>
>$ipaddr = $ENV{'QUERY_STRING'};
>$ipaddr =~ s/\n//g;
>$ipaddr =~ s/\`//g;
>$ipaddr =~ s/\'//g;
>$ipaddr =~ s/\|//g;
>$ipaddr =~ s/\"//g;
>$ipaddr =~ s/\<//g;
>$ipaddr =~ s/\>//g;
>$rpcdata = `$rpcinfo -p $ipaddr`;
>
>this is insufficient checking as it does not include ; and / for
>example, so a user can put in a command separator and execute commands
>that way..
>
>duke
>
>>
>> n l o g    -  nmap 2.x log management and analyzer toolkit
>> -------------------------------------------------------------------------
---
>> --
>>
>> Download and Live Demo at:   http://owned.commotion.org/~spinux
>>
-- snip --

Next message: Spencer Portee - Yard Productions: "referer problems..."
Previous message: Alan Cox: "Re: Why you should avoid world-writable directories"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:25 PDT