pktstat /tmp/smtp.log writes content from TCP streams to public readable file

2013.02.23
Credit: Sven Hartge
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2013-0350
CWE: CWE-59


CVSS Base Score: 6.3/10
Impact Subscore: 9.2/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Complete
Availability impact: Complete

I noticed pktstat creates a file with a fixed name in /tmp and writes debugging info gathered from the sniffed TCP streams into it: redacted:/tmp# ls -al smtp.log - -rw-r--r-- 1 root root 236726 Feb 22 21:30 smtp.log Content is something like this: - -----------8<--------------------- smpt_line [EHLO mail.example.com] normalized to [EHLO mail.example.com] set desc to: [EHLO mail.example.com] smpt_line [STARTTLS] normalized to [STARTTLS] set desc to: [STARTTLS] smpt_line [EHLO mail.example.com] normalized to [EHLO mail.example.com] set desc to: [EHLO mail.example.com] smpt_line [STARTTLS] normalized to [STARTTLS] set desc to: [STARTTLS] smpt_line [EHLO mail.example.com] normalized to [EHLO mail.example.com] set desc to: [EHLO mail.example.com] - -----------8<--------------------- This is troublesome on several levels in my opinion: a) the filename is always the same. Since pktstat is normally run as root, this can be used for a symlink attack, at least to overwrite important files with garbage b) the file is normally world readable, depending on root's umask and may contain sensitive information. c) if pktstat is left running for some time on a busier network interface, this logfile can get quite big and possibly fill /tmp or /. The code responsible is in tmp_smtp.c: oweh () hostname:~/apt/pktstat-1.8.5$ grep log * tcp_smtp.c:FILE*log; tcp_smtp.c:if ((log = fopen("/tmp/smtp.log", "a"))) tcp_smtp.c: fprintf(log, "smpt_line [%s]\n", line); tcp_smtp.c:if (log)fprintf(log, "normalized to [%s]\n", line); tcp_smtp.c:if (log)fprintf(log, "from_addr = [%s]\n", state->from_addr); tcp_smtp.c:if (log)fprintf(log, "to_addr = [%s]\n", state->to_addr); tcp_smtp.c:if (log)fprintf(log, "set desc to: [%s]\n", f->desc); tcp_smtp.c:if (log)fclose(log); From the indention and formatting of said code I gather it is leftover debug code, never intended to be released. Just removing all of the above lines is sufficient to close this bug. Gr&#65532;&#65503;e, Sven. - -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (600, 'unstable'), (500, 'experimental'), (400, 'testing') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.7-trunk-amd64 (SMP w/12 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages pktstat depends on: ii libc6 2.13-38 ii libncurses5 5.9-10 ii libpcap0.8 1.3.0-1 ii libtinfo5 5.9-10 pktstat recommends no packages. pktstat suggests no packages. - -- no debconf information

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701211
http://seclists.org/oss-sec/2013/q1/417


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top