Bugtraq mailing list archives
Re: Ksecurity Advisory: ntop format string vulnerability
From: Kris Kennaway <kris () CITUSC USC EDU>
Date: Sat, 21 Oct 2000 14:39:58 -0700
On Wed, Oct 18, 2000 at 08:45:24AM -0000, Ksecurity wrote:
In FreeBSD case, By default the ntop port is installed setuid root and only executable by root and members of the 'wheel' group.
Not any more. Please check that your information is up to date before making incorrect statements - we fixed this 2 months ago and even released an advisory about other security problems we found in ntop. Basically, a format string vulnerability is far from the only concern here.
From the advisory (SA-00:36):
---- The ntop software is written in a very insecure style, with many potentially exploitable buffer overflows (including several demonstrated ones) which could in certain conditions allow the local or remote user to execute arbitrary code on the local system with increased privileges. ... By default the ntop port is installed setuid root and only executable by root and members of the 'wheel' group. The 'wheel' group is normally only populated by users who also have root access, but this is not necessarily the case (the user must know the root password to increase his or her privileges). ntop allows a member of the wheel group to obtain root privileges directly through a local exploit. ... Local users who are members of the wheel group can obtain root privileges without having to pass through the normal system security mechanisms (i.e. entering the root password). ---- CVS commit containing the removal of setuid bit: ---------------------------- revision 1.13 date: 2000/08/13 06:32:58; author: kris; state: Exp; lines: +2 -3 Re-enable this port after removing setuid privileges and limiting access to root only. ---------------------------- revision 1.12 date: 2000/08/09 01:59:48; author: kris; state: Exp; lines: +3 -1 Mark FORBIDDEN due to frightening lack of safe string operations leading to multiple local and remote root exploits. ---------------------------- It's also installed setuid on every other system, not just BSD, according to the software makefile. FWIW, I never got a response when I tried talking to the ntop developers about the problem prior to the advisory release.. Kris
Current thread:
- Ksecurity Advisory: ntop format string vulnerability Ksecurity (Oct 19)
- Re: Ksecurity Advisory: ntop format string vulnerability Kris Kennaway (Oct 24)