[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Insecure Temporary File Creation Vulnerability in Net-Acct
From:       "Jérôme" ATHIAS <jerome.athias () caramail ! com>
Date:       2004-09-08 4:50:54
Message-ID: 20040908045054.1530.qmail () www ! securityfocus ! com
[Download RAW message or body]



Net-Acct is a user-space daemon which generates log files of network traffic for \
accounting purposes. Initially created by Ulrich Callmeier, it is now worked upon \
occasionally by a team of volunteers on the list net-acct*CoLi.Uni-SB.DE, questions \
are best asked there or net-acct*exorsus.net. 

Stefan Nordhausen has identified a local security hole in net-acct (all versions). It \
appears to be some redundant code from some time way back in the past although I'm \
not entirely sure. I have removed the code, since it doesn't actually appear to do \
anything other than create and delete a file that is referenced nowhere else. Use the \
patch at your own risk, until I've had some feedback telling me it works. 

net-acct-notempfiles.patch : \
http://exorsus.net/projects/net-acct/net-acct-notempfiles.patch

For much of the functionality provided by net-acct, an alternative, \
http://savannah.nongnu.org/projects/ulog-acctd, exists which is considerably better \
at catching all the relevant packets. For the majority of problems it should be \
considered the preferable solution to net-acct (assuming you're on a linux 2.4 kernel \
of course :) 

http://netacct-mysql.sourceforge.net/ is a fairly new project which is creating a \
completely mysql-customised version of net-acct. There's obviously a popular niche \
here since there seem to be a fair number of people contributing. Users looking to \
put their data straight into MySQL may well be served by taking a look. 

Thomas Prokosch kindly donated another log summary script which can be found at \
http://www.nadev.net/thomas/projects/nacctstats/ 

Marc Haber has made available a patch for a locking problem within net-acct. If you \
are suffering from rare situations in which net-acct seems to spin out and grab all \
available cpu, this may well help. 

lockpatch.txt : http://exorsus.net/projects/net-acct/lockpatch.txt

0.71 is now the latest version, changes: A patch for a small bug in the Localtime \
handling for those using the HUMAN_READBLE define. 

We have a debian package available, thanks to Bernd Eckenfels , package page is at \
http://packages.debian.org/unstable/net/net-acct.html. 

Known bugs 

- Name based framing detection. Now, to be honest, I don't have a great idea of what \
exatly "framing" is, in this context, but if you know, tell me, or I'll end up \
figuring it out for myself when the bug list begins to annoy me :) 

- Reverse masq tracking (includes patch) hopefully will go into the next version, or \
something :) 

PLEASE NOTE The README file in the archive is out of date in some aspects, it is \
included for completeness however contact names, mailing list signups etc are \
incorrect. 

 
http://exorsus.net/projects/net-acct/ 


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic