5th Mar 2002 [SBWID-5164]
COMMAND
ntop remote format string overflow in web interface
SYSTEMS AFFECTED
ntop 2.0, others ??
PROBLEM
hologram <holo@brained.org> posted :
--snipp--
The format string vulnerability lies within the traceEvent() function
which is declared as:
void traceEvent(int eventTraceLevel, char* file,
int line, char * format, ...)
in the file util.c. The third argument, as is apparent, is a format
string to be later manipulated by the traceEvent() call.
Further into the code, the following is made visible:
...
va_list va_ap;
va_start (va_ap, format);
...
char buf[BUF_SIZE];
...
#ifdef WIN32
/* Windows lacks of vsnprintf */
vsprintf(buf, format, va_ap);
#else
vsnprintf(buf, BUF_SIZE-1, format, va_ap);
#endif
if(!useSyslog) { // syslog() logging is not enabled
printf(buf); // vulnerability
...
#ifndef WIN32
else { // syslog() logging is enabled
#if 0
switch(traceLevel) {
case 0:
syslog(LOG_ERR, buf); // vulnerability
break;
case 1:
syslog(LOG_WARNING, buf); // vulnerability
break;
case 2:
syslog(LOG_NOTICE, buf); // vulnerability
break;
default:
syslog(LOG_INFO, buf); // vulnerability
break;
}
#else
syslog(LOG_ERR, buf);
...
Obviously, a call such as syslog(LOG_ERR, buf) should be replaced with
syslog(LOG_ERR, \"%s\", buf) to remove the insecurity.
The bug can be exploited whether or not syslog() logging is enabled
because of the erroneous printf(buf) call, as well.
One of the simplest points of entry I have determined is if the -w
option was specified when ntop was ran, which allows web access to the
ntop information. A HTTP request of the following:
GET /%s%s%s HTTP/1.0
will cause program termination (the HTTP deamon for ntop is normally
listening on port 3000).
The vulnerability does allow remote execution of arbitrary commands,
and if concerned, an appropriate fix should be quickly applied.
--snapp--
SOLUTION
fix available ??
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
