Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: bt485.txt

various portmon vulnerabilities





Ok, I have released portmon 1.9, which addresses both of the security 
"holes" which were brought up on bugtraq recently.  Please see:

http://www.securityfocus.com/archive/82/326718
http://www.securityfocus.com/archive/1/325482

It is important to note that portmon is (and never was) installed SUID 
by default, for obvious reasons.  In fact, the --enable-setuid option 
in the configure script printed out a nasty warning regarding the 
nature of SUID programs.
So, as of version 1.8, portmon does not come with the --enable-setuid 
option.  If the user is hellbent on running portmon as a lower level 
user, then they can chmod +s it by hand. ;]
Regarding the gobbles-esque "overflow" that was posted today (25 Jun 
03), this particular bug isn't exactly exploitable and can't be used to 
gain elevated privileges on the target system.  As the author of the 
exploit expressed to me in an email:

   export USER=l33t
   which create many a stress for admin if they find this in the log !
   but your right, is not a M A J OR concern.  thanx n1xo ! !

I would like to clarify two things about this advisory:
- This segfault has been corrected as of version 1.9.  Please see 
http://aboleo.net/software/portmon/downloads for updates.
- This particular bug, when "exploited" as the author suggests, 
produces the following output to a portmon log:

envy:~/portmon/src$ export USER=l33t
envy:~/portmon/src$ ./portmon -c /usr/local/etc/hosts -l temp.log -d
envy:~/portmon/src$ head -1 temp.log
(Wed Jun 25 14:57:11 2003) - Portmon started by user l33t

While I find it odd that something like this might be considered to be 
a security vulnerability, I should note that the $USER environment 
variable is not used in any other places in the code.  So while users 
of portmon are encouraged to upgrade to the latest and greatest 
version, anyone running portmon nonsuid (default) is not vulnerable to 
local exploitation by either of these bugs.

-Nik
--
|| Nik Reiman || nik@aboleo.net || http://www.aboleo.net ||


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH