[27715] in bugtraq
SnortCenter 0.9.5 temp file naming problems...
daemon@ATHENA.MIT.EDU (Clint Byrum)
Tue Nov 5 16:56:57 2002
Message-ID: <27771.66.126.94.101.1036523050.squirrel@secure.spamaps.org>
Date: Tue, 5 Nov 2002 11:04:10 -0800 (PST)
From: "Clint Byrum" <cbyrum@spamaps.org>
To: <bugtraq@securityfocus.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_20021105110410_49058"
------=_20021105110410_49058
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Hello. I am releasing this very late, as SnortCenter v0.9.6 has been
released for a few weeks now. This bug was discovered a couple of months
ago, but not released at the request of Stefan Dens, the author of
SnortCenter.
SnortCenter is a php based tool for aggregating many snort sensors into
one place to make it easy to keep rules and configurations synchronized.
Upon choosing to "push" the rules out to a particular sensor, a file is
created in the temp directory with the same name as the sensor. So, if
your sensor is named "hal" and you push the rules out to it, on the
webserver, a file is created
/tmp/hal
With permissions 777. This means that *anyone* with access to the
SnortCenter server's /tmp directory could read the sensor config files,
among other fun /tmp games. Interesting bits in these files include the
usernames/passwords/addresses of the alert database servers.
TO FIX:
v0.9.6 has been recently released, and should be upgraded to. Also I have
attached a patch for 0.9.5 that uses a more random name(not sure of the
security of php4's tempnam() function), and secure permissions on the
file.
You can get v0.9.6 at snortcenter's home page.
http://users.pandora.be/larc/
Clint Byrum
----------------------------
http://spamaps.org/
http://excellenceintech.com/
------=_20021105110410_49058
Content-Type: application/octet-stream; name="snortcenter_v095-tmpfix.patch"
Content-Disposition: attachment; filename="snortcenter_v095-tmpfix.patch"
Content-Transfer-Encoding: base64
LS0tIHNub3J0Y2VudGVyLm9yaWcvc2Vuc29yLmluYy5waHAJU2F0IEF1ZyAyNCAwNjoyNjoxNCAy
MDAyCisrKyBzbm9ydGNlbnRlci9zZW5zb3IuaW5jLnBocAlUdWUgT2N0ICAxIDEzOjQ4OjQ0IDIw
MDIKQEAgLTE5LDYgKzE5LDkgQEAKICoqIEZvdW5kYXRpb24sIEluYy4sIDU5IFRlbXBsZSBQbGFj
ZSAtIFN1aXRlIDMzMCwgQm9zdG9uLCBNQSAwMjExMS0xMzA3LCBVU0EuDQogKi8NCiANCisKK2ds
b2JhbCAkc2Vuc3RtcGZuYW07CisKIGZ1bmN0aW9uIGZpbmRfaW50ZXJmYWNlX3BpZCgkaWQsJGRi
KSB7CiAgICAgJHJlc3VsdCA9ICRkYi0+YWNpZEV4ZWN1dGUoInNlbGVjdCBjbWRfbGluZSwgaW50
ZXJmYWNlIGZyb20gc2Vuc29yIHdoZXJlIGlkID0nJGlkJyIpOw0KICAgICAkbXlyb3cgPSAkcmVz
dWx0LT5hY2lkRmV0Y2hSb3coKTsNCkBAIC0xMzUsNyArMTM4LDcgQEAKIH0NCiAKIGZ1bmN0aW9u
IGNyZWF0ZV9jb25maWcoJHNlbnNvcl9leHBvcnQsICRzZW5zb3JfaWQsICRkYikgew0KLQorZ2xv
YmFsICRzZW5zdG1wZm5hbTsKIHN5bmNfZ3JvdXAoJHNlbnNvcl9pZCwkZGIpOwogCiBnbG9iYWwg
JHNub3J0Y2VudGVyX3ZlcjsNCkBAIC0xNDUsNyArMTQ4LDkgQEAKICAgICAkcmVzdWx0ID0gJGRi
LT5hY2lkRXhlY3V0ZSgic2VsZWN0IHNlbnNvcl9uYW1lIGZyb20gc2Vuc29yIHdoZXJlIGlkPSck
c2Vuc29yX2lkJyIpOw0KICAgICAkbXlyb3cgPSAkcmVzdWx0LT5hY2lkRmV0Y2hSb3coKTsNCiAg
ICAgJHNlbnNvcl9uYW1lID0gJG15cm93WzBdOw0KLSAgICBlY2hvICI8Rk9OVCBzaXplPTE+IjsN
CisgICAgaWYoJHNlbnNvcl9leHBvcnQgIT0gJ2Rvd25sb2FkJykgeworICAgICAgICBlY2hvICI8
Rk9OVCBzaXplPTE+IjsNCisgICAgfQogICAgICRyZXN1bHRfaWQgPSAkZGItPmFjaWRFeGVjdXRl
KCJTRUxFQ1Qgc2lkIGZyb20gcnVsZWNoYW5nZSB3aGVyZSBzZW5zb3JfaWQ9JyRzZW5zb3JfaWQn
Iik7DQogICAgIHdoaWxlICgkbXlyb3cgPSAkcmVzdWx0X2lkLT5hY2lkRmV0Y2hSb3coKSkNCiAg
ICAgew0KQEAgLTE1NSwxMCArMTYwLDEyIEBACiANCiBpZiAoKCRzZW5zb3JfZXhwb3J0ID09ICdk
b3dubG9hZCcpIHx8ICgkc2Vuc29yX2V4cG9ydCA9PSAncHVzaCcpKXsNCiAgICAgaWYgKHN0cnBv
cygkX1NFUlZFUlsiU0VSVkVSX1NPRlRXQVJFIl0sICJXaW4iKSAhPT0gZmFsc2UpIHsNCi0gICAg
ICAgICRmcCA9IGZvcGVuICgiYzovdGVtcC8kc2Vuc29yX25hbWUiLCAidyIpOw0KKwkkc2Vuc3Rt
cGZuYW0gPSB0ZW1wbmFtKCJjOi90ZW1wIiwkc2Vuc29yX25hbWUpOworCSRmcCA9IGZvcGVuICgk
c2Vuc3RtcGZuYW0sICJ3Iik7DQogICAgIH0NCiAgICAgZWxzZSB7DQotCSRmcCA9IGZvcGVuICgi
L3RtcC8kc2Vuc29yX25hbWUiLCAidyIpOw0KKwkkc2Vuc3RtcGZuYW0gPSB0ZW1wbmFtKCIvdG1w
Iiwkc2Vuc29yX25hbWUpOworCSRmcCA9IGZvcGVuICgkc2Vuc3RtcGZuYW0sICJ3Iik7DQogICAg
IH0NCiB9DQogDQpAQCAtNjg1LDcgKzY5Miw3IEBACiAJCWlmICgkc2Vuc29yX2V4cG9ydCA9PSAn
dmlldycpIHsgZWNobyAiPEJSPiI7IH0NCiAjCX0NCiANCi1lY2hvICI8L0ZPTlQ+IjsNCitpZigk
c2Vuc29yX2V4cG9ydCAhPSAnZG93bmxvYWQnKSB7IGVjaG8gIjwvRk9OVD4iO30NCiB9DQogcmV0
dXJuICRzZW5zb3JfbmFtZTsNCiB9DQotLS0gc25vcnRjZW50ZXIub3JpZy9zZW5zb3IucGhwCVNh
dCBBdWcgMjQgMTI6Mjk6NTMgMjAwMgorKysgc25vcnRjZW50ZXIvc2Vuc29yLnBocAlUdWUgT2N0
ICAxIDEyOjM4OjI2IDIwMDIKQEAgLTEzMCwxMSArMTMwLDEzIEBACiAgICAgJHNlbnNvcl9uYW1l
ID0gY3JlYXRlX2NvbmZpZygicHVzaCIsICRpZCwgJGRiKTsNCiAgICAgaWYgKHN0cnBvcygkX1NF
UlZFUlsiU0VSVkVSX1NPRlRXQVJFIl0sICJXaW4iKSAhPT0gZmFsc2UpIHsNCiAJaWYgKCRjdXJs
X3BhdGggIT0nJykgeyAkY3VybF9wYXRoID0gcnRyaW0oJGN1cmxfcGF0aCwnXFwnKSAuICdcXCc7
IH0NCi0JJGZpbGVuYW1lPSAiYzovdGVtcC8kc2Vuc29yX25hbWUiOw0KKwkjJGZpbGVuYW1lPSAi
YzovdGVtcC8kc2Vuc29yX25hbWUiOw0KKwkkZmlsZW5hbWU9JHNlbnN0bXBmbmFtOwogICAgIH0N
CiAgICAgZWxzZSB7CiAJaWYgKCRjdXJsX3BhdGggIT0nJykgeyAkY3VybF9wYXRoID0gcnRyaW0o
JGN1cmxfcGF0aCwnLycpIC4gJy8nOyB9DQ0KLQkkZmlsZW5hbWU9ICIvdG1wLyRzZW5zb3JfbmFt
ZSI7DQorCSMkZmlsZW5hbWU9ICIvdG1wLyRzZW5zb3JfbmFtZSI7DQorCSRmaWxlbmFtZT0kc2Vu
c3RtcGZuYW07CiAgICAgfQ0KICAgICAkcl9vcHRpb24gPSBmaW5kX2ludGVyZmFjZV9waWQoJGlk
LCRkYik7CiAgICAgZXhlYygkY3VybF9wYXRoLiJjdXJsIC1zIC1TIC0tY29ubmVjdC10aW1lb3V0
ICRjdXJsX3RpbWVvdXQgLUYgXCJpbnRlcmZhY2U9JG15cm93W2ludGVyZmFjZV1cIiAtRiBcInJf
b3B0aW9uPSRyX29wdGlvblwiIC1GIHVwbG9hZD1AXCIkZmlsZW5hbWVcIiAkdXJsIDI+JjEiLCAk
cmV0dXJuX3N0cmluZyk7CQ0KQEAgLTE0Myw2ICsxNDUsNyBAQAogICAgIH0NCiAgICAgJGNtZF9l
cnIgPSBwdXNoX2NtZF9saW5lKCRpZCwkZGIpOw0KICAgICAkc2Vuc29yX21zZyA9ICIkbGluZTxC
Uj4kY21kX2VyciI7DQorICAgIHVubGluaygkZmlsZW5hbWUpOwogfQ0KIA0KIA0KQEAgLTM2MSw3
ICszNjQsNyBAQAogcmVxdWlyZSgnYm90dG9tLmluYy5waHAnKTsNCiANCiBpZiAoJHNlbnNvcl9j
dGwgPT0gJ2Rvd25sb2FkJyl7DQotICAgIGVjaG8gJzxTQ1JJUFQgbGFuZ3VhZ2U9amF2YXNjcmlw
dD5zZXRUaW1lb3V0KCJsb2NhdGlvbi5ocmVmPVwnZGwucGhwP3NlbnNvcl9uYW1lPScuJHNlbnNv
cl9uYW1lLidcJyIsMCk7PC9TQ1JJUFQ+JzsNCisgICAgZWNobyAnPFNDUklQVCBsYW5ndWFnZT1q
YXZhc2NyaXB0PnNldFRpbWVvdXQoImxvY2F0aW9uLmhyZWY9XCdkbC5waHA/c2Vuc29yX25hbWU9
Jy4kc2Vuc29yX25hbWUuJyZpZD0nLiRpZC4nXCciLDApOzwvU0NSSVBUPic7DQogfQ0KIA0KID8+
Ci0tLSBzbm9ydGNlbnRlci5vcmlnL2RsLnBocAlXZWQgQXVnICA3IDEwOjQ2OjQxIDIwMDIKKysr
IHNub3J0Y2VudGVyL2RsLnBocAlUdWUgT2N0ICAxIDEzOjUwOjAwIDIwMDIKQEAgLTEsMTUgKzEs
MTYgQEAKIDw/cGhwCiBpZiAoJHNlbnNvcl9uYW1lKQogeworICAgIGluY2x1ZGUoImNvbmZpZy5w
aHAiKTsKKyAgICBpbmNsdWRlKCJzZW5zb3IuaW5jLnBocCIpOworICAgICRkYiA9IE5ld0FDSURE
QkNvbm5lY3Rpb24oJERCbGliX3BhdGgsJERCdHlwZSk7CisgICAgJGRiLT5hY2lkQ29ubmVjdCgk
REJfZGJuYW1lLCREQl9ob3N0LCREQl9wb3J0LCREQl91c2VyLCREQl9wYXNzd29yZCk7CisgICAg
Y3JlYXRlX2NvbmZpZygiZG93bmxvYWQiLCRpZCwkZGIpOwogICAgIGdsb2JhbCAkSFRUUF9VU0VS
X0FHRU5UOwotICAgIGlmIChzdHJwb3MoJF9TRVJWRVJbIlNFUlZFUl9TT0ZUV0FSRSJdLCAiV2lu
IikgIT09IGZhbHNlKSB7Ci0JJGRvd25sb2FkPSJjOi90ZW1wLyRzZW5zb3JfbmFtZSI7Ci0gICAg
fQotICAgIGVsc2UgewotCSRkb3dubG9hZD0iL3RtcC8kc2Vuc29yX25hbWUiOwotICAgIH0KKyAg
ICBnbG9iYWwgJHNlbnN0bXBmbmFtOworICAgICMkZG93bmxvYWQ9Ii90bXAvJHNlbnNvcl9uYW1l
IjsKICAgICAkbmFtZT0gJHNlbnNvcl9uYW1lLiAnLnNub3J0LmNvbmYnOwotICAgICRzaXplPWZp
bGVzaXplKCRkb3dubG9hZCk7CisgICAgJHNpemU9ZmlsZXNpemUoJHNlbnN0bXBmbmFtKTsKIAog
ICAgIGhlYWRlcigiQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9vY3RldC1zdGVhbSIpOwogICAg
IGhlYWRlcigiQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9mb3JjZS1kb3dubG9hZCIpOwpAQCAt
MjMsNiArMjQsNyBAQAogewogICAgIGhlYWRlcigiQ29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNo
bWVudDsgZmlsZW5hbWU9Ii4kbmFtZSk7CiB9ICAgIAotICAgIHJlYWRmaWxlKCRkb3dubG9hZCk7
CisgICAgcmVhZGZpbGUoJHNlbnN0bXBmbmFtKTsKKyAgICB1bmxpbmsoJHNlbnN0bXBmbmFtKTsK
IH0KID8+Cg==
------=_20021105110410_49058--
