[Xymon] Xymon Systems and Network Monitor - remote file deletion vulnerability
Axel Beckert
beckert at phys.ethz.ch
Fri Jul 26 15:59:34 CEST 2013
Hi Henrik,
On Thu, Jul 25, 2013 at 07:35:23PM +0200, Henrik Størner wrote:
> If access to administrative commands is limited by use of the
> "--admin-senders" option for the "xymond" daemon, then the attack is
> restricted to the commands sent from the IP-adresses listed in the
> --admin-senders access list. However, the default configuration
> permits these commands to be sent from any IP.
At least for 4.3.11 I could not reproduce the fact that the default
config permits these commands to be sent from any IP.
The installed tasks.cfg as well as tasks.cfg.DIST both contain these
lines:
[xymond]
[...]
CMD xymond --pidfile=$XYMONSERVERLOGS/xymond.pid \
--restart=$XYMONTMP/xymond.chk --checkpoint-file=$XYMONTMP/xymond.chk --checkpoint-interval=600 \
--log=$XYMONSERVERLOGS/xymond.log \
--admin-senders=127.0.0.1,$XYMONSERVERIP \
^^^^^^^^^^^^^^^^^^^^^^^^
--store-clientlogs=!msgs
(This does not lower the severity of the missing basename call in
xymond_rrd, but may lower the impact with regards to how many
installations are remotely vulnerable.)
Kind regards, Axel Beckert
--
Axel Beckert <beckert at phys.ethz.ch> support: +41 44 633 26 68
IT Services Group, HPT H 6 voice: +41 44 633 41 89
Departement of Physics, ETH Zurich
CH-8093 Zurich, Switzerland http://nic.phys.ethz.ch/
More information about the Xymon
mailing list