Bugtraq mailing list archives
Nlog 1.1b released - security holes fixed
From: hdmoore () USA NET (HD Moore)
Date: Sat, 26 Dec 1998 15:56:17 -0600
The update to 1.1 had been released prior to Duke's post. The latest version of this writing is 1.1b, this is available from http://owned.comotion.org/~spinux/index.html . 2.0 is under development now, with more extensions, more output options, better search criteria, a centralized configuration, and a configuration script. The vulnerabilities have been fixed by a IPaddress pattern matching function called checkip() in nlog-config.ph. This only allows input to the extension scripts in the format of NNN.NNN.NNN.NNN, where N is a number between 0 and 9. As of version 1.1b, there are NO known holes in the nlog scripts. -- 1.1b update -- Fixed a minor security hole that would allow a malicious user to change his netbios name to something like ;COMMAND; and then scan himself with nlog-smb.pl, the UPPERCASE name would be executed on the server by the nobody user (on most systems). This vulnerability was discovered by Peter Dijk and he also added some changes to the output to format it better in modern browsers. -- 1.1 update -- Fixed all the IP checking routines by calling checkip() before allowing that to be passed to the command line, with an option to log attempts to run commands on the server. Duke Wrote :
there is still several security holes in the nlog cgi scripts that allow arbitary execution of commands.. one such vulnerability is here in rpc-nlog.pl: $ipaddr = $ENV{'QUERY_STRING'}; $ipaddr =~ s/\n//g; $ipaddr =~ s/\`//g; $ipaddr =~ s/\'//g; $ipaddr =~ s/\|//g; $ipaddr =~ s/\"//g; $ipaddr =~ s/\<//g; $ipaddr =~ s/\>//g; $rpcdata = `$rpcinfo -p $ipaddr`; this is insufficient checking as it does not include ; and / for example, so a user can put in a command separator and execute commands that way.. duken l o g - nmap 2.x log management and analyzer toolkit -------------------------------------------------------------------------
---
-- Download and Live Demo at: http://owned.commotion.org/~spinux
-- snip --
Current thread:
- Re: Why you should avoid world-writable directories Ben Laurie (Dec 22)
- Re: Why you should avoid world-writable directories Darren Reed (Dec 22)
- Re: Why you should avoid world-writable directories Rich Burroughs (Dec 22)
- Re: Why you should avoid world-writable directories Wietse Venema (Dec 22)
- <Possible follow-ups>
- Re: Why you should avoid world-writable directories Nick Maclaren (Dec 22)
- Re: Why you should avoid world-writable directories Jason Thorpe (Dec 24)
- Re: Why you should avoid world-writable directories Alan Cox (Dec 24)
- Administrivia Aleph One (Dec 26)
- Nlog 1.1b released - security holes fixed HD Moore (Dec 26)
- referer problems... Spencer Portee - Yard Productions (Dec 26)
- Re: Why you should avoid world-writable directories Jason Thorpe (Dec 24)
- Re: Why you should avoid world-writable directories Bill Paul (Dec 26)
- Re: Why you should avoid world-writable directories Robert Watson (Dec 27)
- Re: Why you should avoid world-writable directories Bill Paul (Dec 26)