83390 2002-11-05 22:41 /32 rader/ Clint Byrum <cbyrum@spamaps.org>
Importerad: 2002-11-05 22:41 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <2230>
Ärende: SnortCenter 0.9.5 temp file naming problems...
------------------------------------------------------------
Hello. I am releasing this very late, as SnortCenter v0.9.6 has been
released for a few weeks now. This bug was discovered a couple of
months ago, but not released at the request of Stefan Dens, the
author of SnortCenter. SnortCenter is a php based tool for
aggregating many snort sensors into one place to make it easy to keep
rules and configurations synchronized. Upon choosing to "push" the
rules out to a particular sensor, a file is created in the temp
directory with the same name as the sensor. So, if your sensor is
named "hal" and you push the rules out to it, on the webserver, a
file is created /tmp/hal
With permissions 777. This means that *anyone* with access to the
SnortCenter server's /tmp directory could read the sensor config
files, among other fun /tmp games. Interesting bits in these files
include the usernames/passwords/addresses of the alert database
servers. TO FIX:
v0.9.6 has been recently released, and should be upgraded to. Also I
have attached a patch for 0.9.5 that uses a more random name(not sure
of the security of php4's tempnam() function), and secure permissions
on the file. You can get v0.9.6 at snortcenter's home page.
http://users.pandora.be/larc/
Clint Byrum
----------------------------
http://spamaps.org/
http://excellenceintech.com/
(83390) /Clint Byrum <cbyrum@spamaps.org>/(Ombruten)
Bilaga (application/octet-stream) i text 83391
83391 2002-11-05 22:41 /127 rader/ Clint Byrum <cbyrum@spamaps.org>
Bilagans filnamn: "snortcenter_v095-tmpfix.patch"
Importerad: 2002-11-05 22:41 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <2231>
Bilaga (text/plain) till text 83390
Ärende: Bilaga (snortcenter_v095-tmpfix.patch) till: SnortCenter 0.9.5 temp file naming problems...
------------------------------------------------------------
--- snortcenter.orig/sensor.inc.php Sat Aug 24 06:26:14 2002
+++ snortcenter/sensor.inc.php Tue Oct 1 13:48:44 2002
@@ -19,6 +19,9 @@
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
+
+global $senstmpfnam;
+
function find_interface_pid($id,$db) {
$result = $db->acidExecute("select cmd_line, interface from sensor where id ='$id'");
$myrow = $result->acidFetchRow();
@@ -135,7 +138,7 @@
}
function create_config($sensor_export, $sensor_id, $db) {
-
+global $senstmpfnam;
sync_group($sensor_id,$db);
global $snortcenter_ver;
@@ -145,7 +148,9 @@
$result = $db->acidExecute("select sensor_name from sensor where id='$sensor_id'");
$myrow = $result->acidFetchRow();
$sensor_name = $myrow[0];
- echo "<FONT size=1>";
+ if($sensor_export != 'download') {
+ echo "<FONT size=1>";
+ }
$result_id = $db->acidExecute("SELECT sid from rulechange where sensor_id='$sensor_id'");
while ($myrow = $result_id->acidFetchRow())
{
@@ -155,10 +160,12 @@
if (($sensor_export == 'download') || ($sensor_export == 'push')){
if (strpos($_SERVER["SERVER_SOFTWARE"], "Win") !== false) {
- $fp = fopen ("c:/temp/$sensor_name", "w");
+ $senstmpfnam = tempnam("c:/temp",$sensor_name);
+ $fp = fopen ($senstmpfnam, "w");
}
else {
- $fp = fopen ("/tmp/$sensor_name", "w");
+ $senstmpfnam = tempnam("/tmp",$sensor_name);
+ $fp = fopen ($senstmpfnam, "w");
}
}
@@ -685,7 +692,7 @@
if ($sensor_export == 'view') { echo "<BR>"; }
# }
-echo "</FONT>";
+if($sensor_export != 'download') { echo "</FONT>";}
}
return $sensor_name;
}
--- snortcenter.orig/sensor.php Sat Aug 24 12:29:53 2002
+++ snortcenter/sensor.php Tue Oct 1 12:38:26 2002
@@ -130,11 +130,13 @@
$sensor_name = create_config("push", $id, $db);
if (strpos($_SERVER["SERVER_SOFTWARE"], "Win") !== false) {
if ($curl_path !='') { $curl_path = rtrim($curl_path,'\\')
. '\\'; }
- $filename= "c:/temp/$sensor_name";
+ #$filename= "c:/temp/$sensor_name";
+ $filename=$senstmpfnam;
}
else {
if ($curl_path !='') { $curl_path = rtrim($curl_path,'/')
. '/'; }
- $filename= "/tmp/$sensor_name";
+ #$filename= "/tmp/$sensor_name";
+ $filename=$senstmpfnam;
}
$r_option = find_interface_pid($id,$db);
exec($curl_path."curl -s -S --connect-timeout $curl_timeout -F \"interface=$myrow[interface]\" -F \"r_option=$r_option\" -F upload=@\"$filename\" $url 2>&1", $return_string);
@@ -143,6 +145,7 @@
}
$cmd_err = push_cmd_line($id,$db);
$sensor_msg = "$line<BR>$cmd_err";
+ unlink($filename);
}
@@ -361,7 +364,7 @@
require('bottom.inc.php');
if ($sensor_ctl == 'download'){
- echo '<SCRIPT language=javascript>setTimeout("location.href=\'dl.php?sensor_name='.$sensor_name.'\'",0);</SCRIPT>';
+ echo '<SCRIPT language=javascript>setTimeout("location.href=\'dl.php?sensor_name='.$sensor_name.'&id='.$id.'\'",0);</SCRIPT>';
}
?>
--- snortcenter.orig/dl.php Wed Aug 7 10:46:41 2002
+++ snortcenter/dl.php Tue Oct 1 13:50:00 2002
@@ -1,15 +1,16 @@
<?php
if ($sensor_name)
{
+ include("config.php");
+ include("sensor.inc.php");
+ $db = NewACIDDBConnection($DBlib_path,$DBtype);
+ $db->acidConnect($DB_dbname,$DB_host,$DB_port,$DB_user,$DB_password);
+ create_config("download",$id,$db);
global $HTTP_USER_AGENT;
- if (strpos($_SERVER["SERVER_SOFTWARE"], "Win") !== false) {
- $download="c:/temp/$sensor_name";
- }
- else {
- $download="/tmp/$sensor_name";
- }
+ global $senstmpfnam;
+ #$download="/tmp/$sensor_name";
$name= $sensor_name. '.snort.conf';
- $size=filesize($download);
+ $size=filesize($senstmpfnam);
header("Content-Type: application/octet-steam");
header("Content-Type: application/force-download");
@@ -23,6 +24,7 @@
{
header("Content-Disposition: attachment; filename=".$name);
}
- readfile($download);
+ readfile($senstmpfnam);
+ unlink($senstmpfnam);
}
?>
(83391) /Clint Byrum <cbyrum@spamaps.org>/(Ombruten)