TUCoPS :: Unix :: General
:: shadow-1.htm
Shadow IDS 1.6 - several security concerns
Vulnerability
shaodw ids
Affected
shadow prior to 1.6
Description
Patrick Oonk found following. The shadow IDS contains a
programming mistake that breaks many scripts in the suite. The
author assumed at some point that the output of the year value in
Perl's date functions is a 2 digit number which it isn't. In 2000
the value of $year is '100'.
By the way, the Shadow perl scripts also use /tmp a lot with
predictable file names, so local exploits are possible.
Solution
Patrick made a small fix which still is not pretty, but going
to a 4 digit year would break many other things in the scripts,
and this fix will work for the next 99 years anyway (he changed
the top of 'sensor/variables.ph' into):
# We need various timestamps all over the place
@T = localtime;
if ($T[5]> 99) {
$T[5] -= 100;
}
Version 1.6 of the SHADOW intrusion detection system passed
through 1/1/00 with no problems. Those with earlier versions had
a problem on their sensors. Our suggestion is to fetch the latest
version of SHADOW (Version 1.6) from
http://www.nswc.navy.mil/ISSEC/CID/shadowForm.html
and install it. For the short term, line 22 in start_logger.pl
of pre-1.6 versions reads:
$tmp = sprintf("%02d%02d%02d%02d", @T[5],@T[4]+1,@T[3],@T[2]);
Change it to:
$tmp = strftime("%y%m%d%H", @T);
This should keep your SHADOW system functioning until you upgrade
to Version 1.6.