portmon <=1.8 buffer over flow !

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

holo,

i find something when i try portmon out for a ride. this is the home of portmon -
http://aboleo.net/software/portmon/

portmon is software that replaces shell script ping & cron to test the hosts.

this is what i find -
portmon 1.8 and earlier buffer overflow:

[user@localhost]# export USER=`perl -e 'print "A" x 666'` /* 110 suffice but i like 66 since the vendor is named old nik! ! */ [user@localhost]# /usr/local/bin/portmon -c devilzride.txt Segmentation fault (core dumped)

bad code in portmon.c
sprintf(err_msg, "Portmon started by user %s\n", getenv("USER"));

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

err_msg declare as a -
err_msg = (char *)malloc(128 * sizeof(char));

1.8 is no longer suid root ! probably not an exploitation (in <=1.7) becuz there is nothing on heap to write over and n1xo does not like to use the free() (teehe, grep free turns up the dust , who needs the free() anyhow!) .. maybe you find a way ?

USER is not a trusted one and you can spoof the logs or trash the files by exploit this guy in <1.8:
portmon -l /etc/shadow

see - http://www.securityfocus.com/archive/1/325653/2003-06-15/2003-06- 21/0

fix :

n1xo said he make a code to fix this one. ask him :  Nik Reiman <nik@aboleo.net>

greetz :

ts@securityorfice.net is the only one werth the props !
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

wkYEARECAAYFAj74zFIACgkQarKSBij8yIKdywCfdB0dk3LfrnMXjMYTPT4HSZwGRcoA n0Z+Y3LYt1T8JKCWRYDCEIThCceo
=G6hd
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434

Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received on Wed Jun 25 12:34:41 2003