Re: ntop -i local exploit

[Bill Fumerola <billf () MU ORG>]

On Mon, Jan 29, 2001 at 12:54:42PM +0100, Paul Starzetz wrote:
> 1. Abstract
> -----------
>
> There are various format string bugs in the ntop package as mentioned in
> former Bugtraq articles. This is _not_ a new problem. However, in
> opposite to the '-w' option bug, an exploit for the existent '-i' option
> format string bug has never been posted/released.

It's worth noting that FreeBSD doesn't[1] install this suid/sgid so this
exploit isn't a problem if ntop was installed from ports/packages.

--
Bill Fumerola / billf () FreeBSD org

1. as of rev 1.13 of ports/net/ntop/Makefile (Sun Aug 13 06:32:58 2000 UTC)