|
Ok, I have released portmon 1.9, which addresses both of the security "holes" which were brought up on bugtraq recently. Please see: http://www.securityfocus.com/archive/82/326718 http://www.securityfocus.com/archive/1/325482 It is important to note that portmon is (and never was) installed SUID by default, for obvious reasons. In fact, the --enable-setuid option in the configure script printed out a nasty warning regarding the nature of SUID programs. So, as of version 1.8, portmon does not come with the --enable-setuid option. If the user is hellbent on running portmon as a lower level user, then they can chmod +s it by hand. ;] Regarding the gobbles-esque "overflow" that was posted today (25 Jun 03), this particular bug isn't exactly exploitable and can't be used to gain elevated privileges on the target system. As the author of the exploit expressed to me in an email: export USER=l33t which create many a stress for admin if they find this in the log ! but your right, is not a M A J OR concern. thanx n1xo ! ! I would like to clarify two things about this advisory: - This segfault has been corrected as of version 1.9. Please see http://aboleo.net/software/portmon/downloads for updates. - This particular bug, when "exploited" as the author suggests, produces the following output to a portmon log: envy:~/portmon/src$ export USER=l33t envy:~/portmon/src$ ./portmon -c /usr/local/etc/hosts -l temp.log -d envy:~/portmon/src$ head -1 temp.log (Wed Jun 25 14:57:11 2003) - Portmon started by user l33t While I find it odd that something like this might be considered to be a security vulnerability, I should note that the $USER environment variable is not used in any other places in the code. So while users of portmon are encouraged to upgrade to the latest and greatest version, anyone running portmon nonsuid (default) is not vulnerable to local exploitation by either of these bugs. -Nik -- || Nik Reiman || nik@aboleo.net || http://www.aboleo.net ||