Xymon 4.x File Deletion

Type packetstorm
Reporter Henrik Stoerner
Modified 2013-07-26T00:00:00


a security vulnerability has been found in version 4.x of the Xymon   
Systems & Network Monitor tool (https://sourceforge.net/projects/xymon/).  
The error permits a remote attacker to delete files on the server   
running the Xymon trend-data daemon "xymond_rrd". File deletion is done   
with the privileges of the user that Xymon is running with, so it is   
limited to files available to the userid running the Xymon service. This   
includes all historical data stored by the Xymon monitoring system.  
Vulnerable versions  
All Xymon 4.x versions prior to 4.3.12 with the xymond_rrd module   
enabled (this is the default configuration).  
Note that Xymon was called "Hobbit" from version 4.0 to 4.2; all of the   
"Hobbit" versions are also vulnerable.  
Mitigating factors  
The attack requires access to the xymond network port (default: tcp port   
If access to administrative commands is limited by use of the   
"--admin-senders" option for the "xymond" daemon, then the attack is   
restricted to the commands sent from the IP-adresses listed in the   
--admin-senders access list. However, the default configuration permits   
these commands to be sent from any IP.  
Systems where xymond_rrd is disabled are not vulnerable, but this is not   
the default configuration.  
Xymon stores historical data, trend-data etc. for each monitored host in   
a set of directories below the Xymon "server/data/" directory. Each   
monitored host has a set of directories named by the hostname.  
When a host is no longer monitored, the data stored for the host can be   
removed by sending a "drop HOSTNAME" command to the Xymon master daemon.   
This is forwarded to xymond_rrd and other modules which then handle   
deleting various parts of the stored data, essentially by performing the   
equivalent of "rm -rf <xymondatadirectory>/rrd/HOSTNAME". In the   
vulnerable versions of Xymon, the hostname sent to xymond was used   
without any checking, so a hostname could include one or more "../"   
sequences to delete files outside the intended directory.  
There are other modules that delete files in response to a "drophost"   
command, but for various reasons these are not vulnerable to the attack.  
Credit and timeline  
The bug was discovered by "cleaver" during investigation of a bug   
originally reported to the Xymon mailing list on July 17 -   
http://lists.xymon.com/archive/2013-July/037838.html - and I was   
notified via private e-mail on July 21st when it was realized to be a   
security related issue.  
A bugfix - r7199 - was committed to the Sourceforge SVN code repository   
on July 23rd, and version 4.3.12 was released on July 24th.  
Henrik Størner  
Xymon developer