Vulnerability

    shaodw ids

Affected

    shadow prior to 1.6

Description

    Patrick  Oonk  found  following.    The  shadow  IDS  contains   a
    programming mistake that  breaks many scripts  in the suite.   The
    author assumed at some point that the output of the year value  in
    Perl's date functions is a 2 digit number which it isn't.  In 2000
    the value of $year is '100'.

    By the  way, the  Shadow perl  scripts also  use /tmp  a lot  with
    predictable file names, so local exploits are possible.

Solution

    Patrick made  a small  fix which  still is  not pretty,  but going
    to a 4 digit  year would break many  other things in the  scripts,
    and this fix will  work for the next  99 years anyway (he  changed
    the top of 'sensor/variables.ph' into):

        # We need various timestamps all over the place
        @T = localtime;
        if ($T[5] > 99) {
        $T[5] -= 100;
        }

    Version  1.6  of  the  SHADOW  intrusion  detection  system passed
    through 1/1/00 with no  problems. Those with earlier  versions had
    a problem on their sensors. Our suggestion is to fetch the  latest
    version of SHADOW (Version 1.6) from

        http://www.nswc.navy.mil/ISSEC/CID/shadowForm.html

    and install it.   For the short  term, line 22  in start_logger.pl
    of pre-1.6 versions reads:

        $tmp = sprintf("%02d%02d%02d%02d", @T[5],@T[4]+1,@T[3],@T[2]);

    Change it to:

        $tmp = strftime("%y%m%d%H", @T);

    This should keep your SHADOW system functioning until you  upgrade
    to Version 1.6.