Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Macintosh :: bt1417.txt

Sustworks Unauthorized Network Monitoring and tcpflow format string attack






----- Original Message -----
From: "@stake Advisories" <advisories@atstake.com>
To: <bugtraq@securityfocus.com>
Sent: Thursday, August 07, 2003 11:52 AM
Subject: Sustworks Unauthorized Network Monitoring and tcpflow format string
attack


>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
>                                 @stake, Inc.
>                               www.atstake.com
>
>                              Security Advisory
>
> Advisory Name: Sustworks Unauthorized Network Monitoring and
>                tcpflow format string attack
>  Release Date: 08/07/2003
>   Application: IPNetMonitorX and IPNetSentryX
>      Platform: Mac OS X
>      Severity: Local users can sniff network traffic
>                Local users can become root
>        Author: Dave G. <daveg@atstake.com>
> Vendor Status: Fix available
> CVE Candidate: CVE candidate number applied for
>     Reference: www.atstake.com/research/advisories/2003/a080703-1.txt
>
>
> Overview:
>
> IPNetSentryX and IPNetMonitorX are network tools that provide
> firewalling and general network monitoring respectively.  Both of
> these tools come with three helper tools that each have security
> issues associated with them.  The first two tools: RunTCPDump and
> RunTCPFlow allow arbitrary users to monitor the network without
> requiring any form of authentication or privilege.  The third tool,
> tcpflow (executed by RunTCPFlow), contains a format string
> vulnerability, allowing arbitrary commands to be run as the user
> calling the program.  Since RunTCPFlow is setuid root and will pass
> arguments to tcpflow, we can execute arbitrary commands as root.
>
>
> Details:
>
> RunTCPDump and RunTCPFlow are setuid root helper applications that
> simply execute /usr/sbin/tcpdump and /usr/local/bin/tcpflow.  These
> helper applications pass all arguments to the commands they are
> executing, allowing users to execute tcpdump and tcpflow however
> they choose.  Unfortunately, any user with interactive access to a
> Mac OS X system with IPNetSentryX or IPNetMonitorX can run these
> commands.  This allows any user on the system to be able to view
> all network traffic that pass through the vulnerable system.
>
> For example:
>
> bash-2.05a$ id
> uid=503(dummy) gid=20(staff) groups=20(staff)
> bash-2.05a$ pwd
> /Applications/IPNetSentryX.app/Contents/Resources
> bash-2.05a$ ./RunTCPDump -i en1 -x -v -s 4096
> RunTCPDump: listening on en1
> 18:02:55.726143 arp who-has 192.168.0.1 tell 192.168.0.1
>                          0001 0800 0604 0001 XXXX XXXX XXXX XXXX
>                          0001 0000 0000 0000 c0a8 0001 0000 0000
>                          0000 0000 0000 0000 0000 0000 0000
>
>
> Additionally, tcpflow is vulnerable to a format string
> vulnerability, which normally would not be a serious security
> vulnerability.  However, since any user on a system that has
> IPNetSentryX or IPNetMonitorX and tcpflow installed can cause
> tcpflow to be executed as root via RunTCPFlow, an attacker can
> use this vulnerability to become root.  A corresponding
> @stake advisory (a080703-2) has been released on the tcpflow
> format string attack.
>
>
> Vendor Response:
>
> These vulnerabilities are mitigated in the latest version of
> IPNetSentryX and IPNetMonitorX available from
> http://www.sustworks.com.  Mitigation strategies include
> stronger input validation and access control to RunTCPDump
> and RunTCPFlow.
>
>
> Recommendation:
>
> Upgrade to the latest version of IPNetSentryX and tcpflow.
>
>
> Common Vulnerabilities and Exposures (CVE) Information:
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned
> the following names to these issues.  These are candidates for
> inclusion in the CVE list (http://cve.mitre.org), which standardizes
> names for security problems.
>
>   CVE candidate number applied for
>
>
> @stake Vulnerability Reporting Policy:
> http://www.atstake.com/research/policy/
>
> @stake Advisory Archive:
> http://www.atstake.com/research/advisories/
>
> PGP Key:
> http://www.atstake.com/research/pgp_key.asc
>
> @stake is currently seeking application security experts to fill
> several consulting positions.  Applicants should have strong
> application development skills and be able to perform application
> security design reviews, code reviews, and application penetration
> testing.  Please send resumes to jobs@atstake.com.
>
> Copyright 2003 @stake, Inc. All rights reserved.
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
>
> iQA/AwUBPzKp50e9kNIfAm4yEQLzUACg8NWt5xklZb72A+1x9b/a9FVC7YcAn0qp
> +za7wOpXnQ6cmqlu3gEkm5ae
> =sYTv
> -----END PGP SIGNATURE-----
>
>


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH