FastNetMon Community Edition Local Symlink Attack Vulnerability Allowing Arbitrary File Overwrite as Root

A local symlink attack vulnerability has been identified in FastNetMon Community Edition versions through 1.2.9. The issue arises from predictable file paths in the /tmp directory, specifically the default statistics file path of /tmp/fastnetmon.dat. The vulnerability is caused by the print_screen_contents_into_file() function, which opens the file with truncation, without checking for symlinks or using O_NOFOLLOW. Additionally, a chmod() call incorrectly applies permissions to the wrong file, and the umask is set to 0 during daemonization, making all created files world-writable. This allows a local attacker to exploit the vulnerability to overwrite arbitrary files as the FastNetMon process user, typically root.

Impact

Exploitation of this vulnerability allows for local privilege escalation by overwriting files with root permissions, as FastNetMon usually runs as root. This could lead to the execution of malicious payloads, such as cron jobs, with root privileges.

Reproduction

To reproduce this vulnerability, a local user can create a symlink from a target file, such as a cron job or a sensitive file in the /etc directory, to the predictable FastNetMon statistics file path in /tmp. Once the symlink is in place, FastNetMon will follow the symlink when writing statistics, truncating the target file and making it writable by the user. The user can then append a malicious payload, such as a cron job entry, which will be executed with root privileges.

Remediation

Users are advised to update FastNetMon to a version that addresses this vulnerability. Additionally, the FastNetMon statistics file path can be changed to a directory under /var/lib/fastnetmon/ with appropriate permissions. For systems using systemd, the directory can be bind-mounted into the daemon's namespace.