aimSniff.pl file "deletion" (local)
Advisory attached.
aimSniff.pl 0.9b file "deletion" (local)
Martin (broadcast@xxxxxxxxxxxxxxxx)
-------------------
Program Description
-------------------
Excerpt from the README file follows:
"AIM Sniff is a utility for monitoring and archiving AOL Instant Messenger
messages across a network. You can either do a live dump (actively sniff the
network) or read a PCAP file and parse the file for IM messages. You also have
the option of dumping the information to a MySQL database or STDOUT.
Another part of AIM Sniff is WAS (Web AIM Sniff) that is available as a separate
download. This is a web page front end to view and generate reports of captured
AIM conversations. This is expected to include the ability to see all
conversations
from an IP address, AIM handle, NT Username, conversations between certain time
periods.
It will allow administrators to see how often users are chatting to monitor for
abuse. You can also use AIM Sniff to monitor for cases of harassment or warez
trading."
Program available at www.aimsniff.com
Intended audience:
"... The program was designed for network security specialist who have a deep
understanding of network topology and the inner workings of internet protocols.
Any network security specialist who is worth his weight uses unix in some
variety or flavor ..."
-------------------
Problem Description
-------------------
[martin@localhost aimsniff-0.9b]$ grep -n \$debug2 aimSniff.pl
55:my $debug2=1;
1312: if($debug2){
$debug2 never gets modified, so that condition is always true.
sub LeaveNow{
log_msg("Child exiting");
if($debug2){
open(LOG,">/tmp/AS.log") or die "Could not open debug file: $^E\n"; #(a)
print LOG "$debugmsg\n"; #(b)
close(LOG);
}
#....
}
Therefore, whenever LeaveNow is called, (a) and (b) will happen.
sub start_AS {
&open_syslog();
if ($daemonMode == 1)
{
$SIG{'QUIT'}=\&LeaveNow;
$SIG{'INT'}=\&LeaveNow;
$SIG{'HUP'}=\&dump_child_stats;
}
#....
#and right before the end of the procedure:
#....
&LeaveNow;
}
}
And when start_AS is called, LeaveNow will eventually be called.
The problem lies in (a) and (b). Excerpt from perlfunc related to open()
follows:
"...If MODE is ">", the file is truncated and opened for output, being created
if necessary..."
Since the file is supposed to be in /tmp, and attacker can create a symlink to
any file he wants "erased". To sniff any traffic, this perl script has to be
ran as root, so the local attacker can do it to any file. The file won't be
really erased, but the original contents of it will be substituted with one of
the following sentences:
[martin@localhost aimsniff-0.9b]$ grep \$debugmsg= aimSniff.pl
my $debugmsg="";
$debugmsg="AIM Message";
$debugmsg="Incoming Message";
$debugmsg="Outgoing Message";
$debugmsg="File Xfer";
$debugmsg="AIM Login";
$debugmsg="Version Information";
$debugmsg="Got Version";
$debugmsg="Chat Info";
$debugmsg="Got Chats";
$debugmsg="Chat join";
$debugmsg="Got chat join";
$debugmsg="Get Buddies";
$debugmsg="Got Buddies";
$debugmsg="Get other buddies";
$debugmsg="got buddies";
------------------
Possible Solutions
------------------
change (a) into unlink("/tmp/AS.log");
sysopen(FH,"/tmp/AS.log",O_WRONLY|O_EXECL|O_CREAT,0600);
----------------
Vendor Contacted
----------------
11/02/03 - Contacted, updated the same day.
------------
Official Fix
------------
Version upgrade available at
http://sourceforge.net/project/showfiles.php?group_id=61413
Download 0.9d