Hi all, the following problems have been fixed in ntop's CVS. This is (yet) another good reason to update your copy of ntop using CVS.
Cheers, Luca > ----- Forwarded message from hologram <[EMAIL PROTECTED]> ----- > > Delivered-To: [EMAIL PROTECTED] > Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm > Precedence: bulk > List-Id: <bugtraq.list-id.securityfocus.com> > List-Post: <mailto:[EMAIL PROTECTED]> > List-Help: <mailto:[EMAIL PROTECTED]> > List-Unsubscribe: <mailto:[EMAIL PROTECTED]> > List-Subscribe: <mailto:[EMAIL PROTECTED]> > Delivered-To: mailing list [EMAIL PROTECTED] > Delivered-To: moderator for [EMAIL PROTECTED] > Date: Mon, 4 Mar 2002 07:46:18 -0500 (EST) > From: hologram <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: [H20020304]: Remotely exploitable format string vulnerability in > ntop > > h o l o g r a m | s e c u r i t y | a d v i s o r y > _______________________________________________________________________ > > Advisory ID : H20020304 > Software : ntop > Synopsis : Remotely exploitable format > string vulnerability in ntop. > Vendor : Luca Deri <www.ntop.org> > Verified : Version 2.0 > Author : hologram <[EMAIL PROTECTED]> > > _______________________________________________________________________ > > | Overview |----------------------------------------------------------- > > ntop is a UNIX tool that shows the network usage, similar to what the > popular top UNIX command does on the system level. A format string > vulnerability has been discovered on the programmatic level and > is currently known to affect the UNIX version, however, the Windows > port of the program remains untested. The vulnerability allows > for remote arbitrary code execution. > > | Vulnerability |------------------------------------------------------ > > The format string vulnerability lies within the traceEvent() function > which is declared as: > > void traceEvent(int eventTraceLevel, char* file, > int line, char * format, ...) > > in the file util.c. The third argument, as is apparent, is a format > string to be later manipulated by the traceEvent() call. > > Further into the code, the following is made visible: > > ... > > va_list va_ap; > va_start (va_ap, format); > > ... > > char buf[BUF_SIZE]; > > ... > > #ifdef WIN32 > /* Windows lacks of vsnprintf */ > vsprintf(buf, format, va_ap); > #else > vsnprintf(buf, BUF_SIZE-1, format, va_ap); > #endif > > if(!useSyslog) { // syslog() logging is not enabled > printf(buf); // vulnerability > > ... > > #ifndef WIN32 > else { // syslog() logging is enabled > #if 0 > switch(traceLevel) { > case 0: > syslog(LOG_ERR, buf); // vulnerability > break; > case 1: > syslog(LOG_WARNING, buf); // vulnerability > break; > case 2: > syslog(LOG_NOTICE, buf); // vulnerability > break; > default: > syslog(LOG_INFO, buf); // vulnerability > break; > } > #else > syslog(LOG_ERR, buf); > > ... > > Obviously, a call such as syslog(LOG_ERR, buf) should be replaced > with syslog(LOG_ERR, "%s", buf) to remove the insecurity. > > The bug can be exploited whether or not syslog() logging is enabled > because of the erroneous printf(buf) call, as well. > > One of the simplest points of entry I have determined is if the -w > option was specified when ntop was ran, which allows web access > to the ntop information. A HTTP request of the following: > > GET /%s%s%s HTTP/1.0 > > will cause program termination (the HTTP deamon for ntop is normally > listening on port 3000). > > The vulnerability does allow remote execution of arbitrary commands, > and if concerned, an appropriate fix should be quickly applied. > > -------------------------------| Copyright 2002. All rights reserved. | > -- Luca Deri NETikos S.p.A. Via Matteucci 34/B 56124 Pisa, Italy. Ph. +39/050/968.639 Fax. +39/050/968.626 Personal: [EMAIL PROTECTED] Business: [EMAIL PROTECTED] WWW: http://www.lucaderi.org/ ICQ: 68183632 Hacker: someone who loves to program and enjoys being clever about it - Richard Stallman _______________________________________________ Ntop-dev mailing list [EMAIL PROTECTED] http://listmanager.unipi.it/mailman/listinfo/ntop-dev
