[8848] in bugtraq

home help back first fref pref prev next nref lref last post

Nlog 1.1b released - security holes fixed

daemon@ATHENA.MIT.EDU (HD Moore)
Sat Dec 26 18:11:50 1998

Date: 	Sat, 26 Dec 1998 15:56:17 -0600
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: HD Moore <hdmoore@USA.NET>
To: BUGTRAQ@NETSPACE.ORG

The update to 1.1 had been released prior to Duke's post.

The latest version of this writing is 1.1b, this is available from
http://owned.comotion.org/~spinux/index.html .
2.0 is under development now, with more extensions, more output options,
better search criteria, a centralized configuration, and a configuration
script.

The vulnerabilities have been fixed by a IPaddress pattern matching function
called checkip() in nlog-config.ph.  This only allows input to the extension
scripts in the format of NNN.NNN.NNN.NNN, where N is a number between 0 and
9.

As of version 1.1b, there are NO known holes in the nlog scripts.

-- 1.1b update --
Fixed a minor security hole that would allow a malicious user to change his
netbios name to something like ;COMMAND; and then scan himself with
nlog-smb.pl, the UPPERCASE name would be executed on the server by the
nobody user (on most systems).  This vulnerability was discovered by Peter
Dijk and he also added some changes to the output to format it better in
modern browsers.

-- 1.1 update --
Fixed all the IP checking routines by calling checkip() before allowing that
to be passed to the command line, with an option to log attempts to run
commands on the server.

Duke Wrote :

>there is still several security holes in the nlog cgi scripts that allow
>arbitary execution of commands..
>
>one such vulnerability is here in rpc-nlog.pl:
>
>$ipaddr = $ENV{'QUERY_STRING'};
>$ipaddr =~ s/\n//g;
>$ipaddr =~ s/\`//g;
>$ipaddr =~ s/\'//g;
>$ipaddr =~ s/\|//g;
>$ipaddr =~ s/\"//g;
>$ipaddr =~ s/\<//g;
>$ipaddr =~ s/\>//g;
>$rpcdata = `$rpcinfo -p $ipaddr`;
>
>this is insufficient checking as it does not include ; and / for
>example, so a user can put in a command separator and execute commands
>that way..
>
>duke
>
>>
>> n l o g    -  nmap 2.x log management and analyzer toolkit
>> -------------------------------------------------------------------------
---
>> --
>>
>> Download and Live Demo at:   http://owned.commotion.org/~spinux
>>
-- snip --

home help back first fref pref prev next nref lref last post