Bugtraq mailing list archives

Re: Ksecurity Advisory: ntop format string vulnerability

From: Kris Kennaway <kris () CITUSC USC EDU>
Date: Sat, 21 Oct 2000 14:39:58 -0700

On Wed, Oct 18, 2000 at 08:45:24AM -0000, Ksecurity wrote:

In FreeBSD case, By default the ntop port is installed
setuid root and only executable by root and members
of the 'wheel' group.


Not any more. Please check that your information is up to date before
making incorrect statements - we fixed this 2 months ago and even
released an advisory about other security problems we found in
ntop. Basically, a format string vulnerability is far from the only
concern here.

From the advisory (SA-00:36):


----
The ntop software is written in a very insecure style, with many
potentially exploitable buffer overflows (including several
demonstrated ones) which could in certain conditions allow the local
or remote user to execute arbitrary code on the local system with
increased privileges.

...

By default the ntop port is installed setuid root and only executable
by root and members of the 'wheel' group. The 'wheel' group is
normally only populated by users who also have root access, but this
is not necessarily the case (the user must know the root password to
increase his or her privileges). ntop allows a member of the wheel
group to obtain root privileges directly through a local exploit.

...

Local users who are members of the wheel group can obtain root
privileges without having to pass through the normal system security
mechanisms (i.e. entering the root password).
----

CVS commit containing the removal of setuid bit:

----------------------------
revision 1.13
date: 2000/08/13 06:32:58;  author: kris;  state: Exp;  lines: +2 -3
Re-enable this port after removing setuid privileges and limiting access
to root only.
----------------------------
revision 1.12
date: 2000/08/09 01:59:48;  author: kris;  state: Exp;  lines: +3 -1
Mark FORBIDDEN due to frightening lack of safe string operations leading
to multiple local and remote root exploits.
----------------------------

It's also installed setuid on every other system, not just BSD,
according to the software makefile.

FWIW, I never got a response when I tried talking to the ntop
developers about the problem prior to the advisory release..

Kris

Current thread:

Ksecurity Advisory: ntop format string vulnerability Ksecurity (Oct 19)
- Re: Ksecurity Advisory: ntop format string vulnerability Kris Kennaway (Oct 24)