[Xymon] Xymon Systems and Network Monitor - remote file deletion vulnerability

Axel Beckert beckert at phys.ethz.ch
Fri Jul 26 15:59:34 CEST 2013

Hi Henrik,

On Thu, Jul 25, 2013 at 07:35:23PM +0200, Henrik Størner wrote:
> If access to administrative commands is limited by use of the
> "--admin-senders" option for the "xymond" daemon, then the attack is
> restricted to the commands sent from the IP-adresses listed in the
> --admin-senders access list. However, the default configuration
> permits these commands to be sent from any IP.

At least for 4.3.11 I could not reproduce the fact that the default
config permits these commands to be sent from any IP.

The installed tasks.cfg as well as tasks.cfg.DIST both contain these

        CMD xymond --pidfile=$XYMONSERVERLOGS/xymond.pid \
                --restart=$XYMONTMP/xymond.chk --checkpoint-file=$XYMONTMP/xymond.chk --checkpoint-interval=600 \
                --log=$XYMONSERVERLOGS/xymond.log \
                --admin-senders=,$XYMONSERVERIP \

(This does not lower the severity of the missing basename call in
xymond_rrd, but may lower the impact with regards to how many
installations are remotely vulnerable.)

		Kind regards, Axel Beckert
Axel Beckert <beckert at phys.ethz.ch>       support: +41 44 633 26 68
IT Services Group, HPT H 6                  voice: +41 44 633 41 89
Departement of Physics, ETH Zurich
CH-8093 Zurich, Switzerland		   http://nic.phys.ethz.ch/

More information about the Xymon mailing list