327 – Important Sniffit is vulnerable too remote root exploit

Bug 327 - Important Sniffit is vulnerable too remote root exploit

Summary: Important Sniffit is vulnerable too remote root exploit

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	x86 Linux

Importance:	High normal
Assignee:	Bruce A. Locke

URL:
Whiteboard:
Keywords:	SECURITY

Depends on:
Blocks:

Reported:	2002-01-25 07:25 UTC by Ferry Meyndert
Modified:	2003-02-04 19:42 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ferry Meyndert 2002-01-25 07:25:57 UTC

Date:  Jan 22 2002
Impact:  Execution of arbitrary code via network, Root access via network 
Version(s): sniffit.0.3.7.beta; possibly earlier versions
Description:  A buffer overflow vulnerability was reported in Sniffit. A remote
user can cause arbitrary code to be executed with root level privileges on the
system running Sniffit.

It is reported that a buffer overflow occurs in a section of code that is
executed when Sniffit is run with the -L (logging) command line option, as shown:

./sniffit -c ./sample_config_file -L normmail

The vulnerable code is reported to be the following section of
sniffit.0.3.7.beta/sn_logfile.c:

void print_mail (char *conn, char *msg)
{
char line[250];
sprintf(line,"%s: mail [%s]",conn,msg);
print_logline (line);
}

A remote user can create a specially crafted packet that, when sniffed by
Sniffit, will trigger the buffer overflow and execute the user's code on the
server. Sniffit is run with root privileges, so the code will be executed with
root privileges.

THnx too Debian for releasing a fix for this bug and not releasing a new source
archive. NOT!!

So i fixed it myself and made a new fixed archive so if anyone could put it up
at ibiblio or some other host it would be nice.

I will put it up temp on a host:
FIxed Version
http://www.clan-tva.com/m0rpheus/sniffit.0.3.7.beta-6.1.tar.gz

old ebuild with some changes:

# Copyright 1999-2001 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License, v2 or later
# Author Ben Lutgens <lamer@gentoo.org>

A=sniffit.0.3.7.beta-6.1.tar.gz
S=${WORKDIR}/${PN}.0.3.7.beta-6.1
DESCRIPTION="packet sniffer"
SRC_URI=
HOMEPAGE="http://reptile.rug.ac.be/~coder/sniffit/sniffit.html"
DEPEND=">=net-libs/libpcap-0.6.2"

#RDEPEND=""

src_compile() {
        try ./configure --infodir=/usr/share/info --mandir=/usr/share/man
--prefix=/usr --host=${CHOST}

        try emake
        #try make
}

src_install () {

         dobin sniffit
         doman sniffit.5 sniffit.8
         dodoc README.FIRST PLUGIN-HOWTO
}

it isnt the nicest ebuild ive seen, but i didnt make it and it works :))

Ferry Meyndert <m0rpheus@poseidon.mine.nu

Comment 1 Bruce A. Locke 2002-01-26 04:12:59 UTC

The actual source patch would be better then a patched archive as it allows us
and end users to know what exactly was changed compared to the official upstream
archive.  Would be better to toss the patch itself into the files directory and
apply the patch during src_unpack().

Debian usually makes such patches available, if you have it could you attach it
to this bug?  Thanks :)

Comment 2 Ferry Meyndert 2002-01-26 13:30:08 UTC

only prob is the patch is pretty big and in gz wich cvs doesnt realy like. ANd
also i wasnt able too patch it i needed to edit the parts of vunerable code by
hand :(( . That why i did it this way otherwise i woulkd just do a patch.

CHeers Ferry

Comment 3 Bruce A. Locke 2002-01-26 15:52:32 UTC

Does this fix the security issue?

http://ftp.debian.org/debian/pool/main/s/sniffit/sniffit_0.3.7.beta-10.diff.gz

If its more then 50K we can always host the patch file and have it downloaded
and applied by the ebuild.  I'm just afraid of "distributing" modified tarballs
not approved by the upstream maintainer.

Comment 4 Ferry Meyndert 2002-01-26 18:39:25 UTC

Yes that the one i used. I will give it a try again tomorrow. I got some errors
with compiling after i applied the patch. But i had some troubles with my dev
box that have been fixed now so i will try again.

Comment 5 Ferry Meyndert 2002-01-26 19:25:41 UTC

Ok another better fix if someone could put the patch up at ibilbio or other
site. The compiling prob was at my side after i fixed my box it compiles fine.

sniffit-0.3.7.ebuild

# Copyright 1999-2001 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License, v2 or later

P=sniffit.0.3.7.beta
S=${WORKDIR}/${P}
DESCRIPTION="packet sniffer"
SRC_URI="http://reptile.rug.ac.be/~coder/sniffit/files/${P}.tar.gz
         http://www.clan-tva.com/m0rpheus/sniffit_0.3.7.beta-10.diff"
HOMEPAGE="http://reptile.rug.ac.be/~coder/sniffit/sniffit.html"
DEPEND=">=net-libs/libpcap-0.6.2"


src_unpack() {
        unpack ${P}.tar.gz
        cd ${S}
        patch < ${DISTDIR}/sniffit_0.3.7.beta-10.diff || die

}

src_compile() {
        try ./configure --infodir=/usr/share/info --mandir=/usr/share/man
--prefix=/usr --host=${CHOST}

        try emake
}

src_install () {

         dobin sniffit
         doman sniffit.5 sniffit.8
         dodoc README.FIRST PLUGIN-HOWTO
}

Comment 6 Bruce A. Locke (RETIRED) gentoo-dev

2002-01-28 23:04:50 UTC

Thanks for the patch... fix checked in...