pktstat /tmp/smtp.log writes content from TCP streams to public readable file

2013.02.23

Credit: Sven Hartge

Risk: Medium

Local: Yes

Remote: No

CVE: CVE-2013-0350

CWE: CWE-59

CVSS Base Score: 6.3/10

Impact Subscore: 9.2/10

Exploitability Subscore: 3.4/10

Exploit range: Local

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Complete

Availability impact: Complete

I noticed pktstat creates a file with a fixed name in /tmp and writes debugging info gathered from the sniffed TCP streams into it:
redacted:/tmp# ls -al smtp.log
- -rw-r--r-- 1 root root 236726 Feb 22 21:30 smtp.log
Content is something like this:
- -----------8<---------------------
smpt_line [EHLO mail.example.com]
normalized to [EHLO mail.example.com]
set desc to: [EHLO mail.example.com]
smpt_line [STARTTLS]
normalized to [STARTTLS]
set desc to: [STARTTLS]
smpt_line [EHLO mail.example.com]
normalized to [EHLO mail.example.com]
set desc to: [EHLO mail.example.com]
smpt_line [STARTTLS]
normalized to [STARTTLS]
set desc to: [STARTTLS]
smpt_line [EHLO mail.example.com]
normalized to [EHLO mail.example.com]
set desc to: [EHLO mail.example.com]
- -----------8<---------------------
This is troublesome on several levels in my opinion:
a) the filename is always the same. Since pktstat is normally run as
root, this
can be used for a symlink attack, at least to overwrite important
files with
garbage
b) the file is normally world readable, depending on root's umask and
may contain
sensitive information.
c) if pktstat is left running for some time on a busier network
interface, this
logfile can get quite big and possibly fill /tmp or /.
The code responsible is in tmp_smtp.c:
oweh () hostname:~/apt/pktstat-1.8.5$ grep log *
tcp_smtp.c:FILE*log;
tcp_smtp.c:if ((log = fopen("/tmp/smtp.log", "a")))
tcp_smtp.c: fprintf(log, "smpt_line [%s]\n", line);
tcp_smtp.c:if (log)fprintf(log, "normalized to [%s]\n", line);
tcp_smtp.c:if (log)fprintf(log, "from_addr = [%s]\n", state->from_addr);
tcp_smtp.c:if (log)fprintf(log, "to_addr = [%s]\n", state->to_addr);
tcp_smtp.c:if (log)fprintf(log, "set desc to: [%s]\n", f->desc);
tcp_smtp.c:if (log)fclose(log);
From the indention and formatting of said code I gather it is
leftover debug
code, never intended to be released.
Just removing all of the above lines is sufficient to close this bug.
Gr&#65532;&#65503;e,
Sven.
- -- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (600, 'unstable'), (500, 'experimental'), (400, 'testing')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.7-trunk-amd64 (SMP w/12 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages pktstat depends on:
ii libc6 2.13-38
ii libncurses5 5.9-10
ii libpcap0.8 1.3.0-1
ii libtinfo5 5.9-10
pktstat recommends no packages.
pktstat suggests no packages.
- -- no debconf information

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701211

http://seclists.org/oss-sec/2013/q1/417

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

pktstat /tmp/smtp.log writes content from TCP streams to public readable file

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.