TUCoPS :: Unix :: General :: ntop-1.htm


TUCoPS :: Unix :: General :: ntop-1.htm

Ntop break out of webroot in web mode 
Vulnerability
 ntop
Affected
 ntop prior to 1.3.1
Description
 Following is based on [ Hackerslab bug_paper ]. ntop displays top
 network users. With -w switch it starts ntop in web mode. Users
 can attach their web browsers to the specified port and browse
 traffic information remotely.
 Supposing to start ntop at the port 3000 (ntop -w 3000), the URL
 to access is
 http://hostname:3000/
 The file ~/.ntop specifies the HTTP user/password of those people
 who are allowed to access ntop. If the ~/.ntop file is missing
 no security will be used hence everyone can access traffic
 information. A simple .ntop file is the following:
 # # .ntop File format
 # # user<tab>/<space>pw
 # # luca linux
 Please note that an HTTP server is NOT needed in order to use the
 program in interactive mode.* 'bdf' program has SUID permission.
 If use 'ntop' in web mode, it's web root is "/etc/ntop/html".
 It's web mode that does not check URL path.
 So if URL is
 http://URL:port/../../shadow
 remote user will read all file.
Solution
 The problem above has been reported to the author and it has been
 fixed immediately. There were few other security related issues
 which have been fixed as well. With ersion 1.3.1 it properly
 returns 401 code when trying to access '..' paths.
 The "ntop" package is not a part of Debian 2.1. No fix is
 necessary. As for Debian 2.2 alias potato, this version of
 Debian is not yet released. Fixes are currently available for
 Alpha, ARM, Intel ia32, Motorola 680x0, PowerPC and the Sun Sparc
 architecture:
 http://security.debian.org/dists/stable/updates/main/source/ntop_1.2a7-11.diff.gz
 http://security.debian.org/dists/stable/updates/main/source/ntop_1.2a7-11.dsc
 http://security.debian.org/dists/stable/updates/main/source/ntop_1.2a7.orig.tar.gz
 http://security.debian.org/dists/stable/updates/main/binary-alpha/ntop_1.2a7-11_alpha.deb
 http://security.debian.org/dists/stable/updates/main/binary-arm/ntop_1.2a7-11_arm.deb
 http://security.debian.org/dists/stable/updates/main/binary-i386/ntop_1.2a7-11_i386.deb
 http://security.debian.org/dists/stable/updates/main/binary-m68k/ntop_1.2a7-11_m68k.deb
 http://security.debian.org/dists/stable/updates/main/binary-powerpc/ntop_1.2a7-11_powerpc.deb
 http://security.debian.org/dists/stable/updates/main/binary-sparc/ntop_1.2a7-11_sparc.deb
 Debian Unstable alias woody is not yet released and reflects the
 current development release. Fixes are the same as for potato.
 For RedHat:
 ftp://updates.redhat.com/powertools/6.2/sparc/ntop-1.3.1-1.sparc.rpm
 ftp://updates.redhat.com/powertools/6.2/i386/ntop-1.3.1-1.i386.rpm
 ftp://updates.redhat.com/powertools/6.2/SRPMS/ntop-1.3.1-1.src.rpm
 For FreeBSD:
 1) Remove the setuid bit from the ntop binary so that only the
 superuser may execute it. Depending on local policy this
 vulnerability may not present significant risk.
 2) Avoid using ntop -w. If ntop -w is required, consider
 imposing access controls to limit access to the ntop server
 port (e.g. using a perimeter firewall, or ipfw(8) or ipf(8)
 on the local machine). Note that specifying a
 username/password access list within the ntop configuration
 file is insufficient, as noted above. Users who pass
 the access restrictions can still gain privileges as
 described above.
 Due to the lack of attention to security in the ntop port no
 simple fix is possible: for example, the local root overflow can
 easily be fixed, but since ntop holds a privileged network socket
 a member of the wheel group could still obtain direct read access
 to all network traffic by exploiting other vulnerabilities in the
 program, which remains a technical security violation. The
 FreeBSD port has been changed to disable '-w' mode and remove the
 setuid bit, so that the command is only available locally to the
 superuser. Full functionality will be restored once the ntop
 developers have addressed these security concerns and provided an
 adequate fix - this advisory will be reissued at that time.
 Patch:
 ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/ntop-1.1.tgz
 ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/ntop-1.1.tgz
 ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/ntop-1.1.tgz
 ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/ntop-1.1.tgz
 ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/ntop-1.1.tgz

AltStyle によって変換されたページ (->オリジナル) /

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH