8304929 2002-04-17 10:13 -0700 /45 rader/ JP <px@negative.zeroday.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-18 03:09 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21910>
Ärende: segfault in ntop
------------------------------------------------------------
From: JP <px@negative.zeroday.net>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33L2.0204170946450.6938-100000@negative.zeroday.net>
I'm sorry if this has already been discussed on here before, but I
went through the thread and saw nothing on it.
I was able to remotley segfault ntop v.2.0.0 using Netscape 6.1 by
simply specifying a command in the url location bar. For example:
http://ntop.site.com:port/`ls`
That above command will cause ntop to segfault and core dump. I
tried a few different commands, ls and su segfaulted ntop, whereas
everything else I tried gave a 403 error, but ntop stayed online.
Here's information about my ntop platform:
Mandrake Linux v8.1 kernel 2.4.8-26mdk
ntop v.2.0.0 MT [i686-pc-linux-gnu] (01/24/02 03:04:18 PM build)
I was able to segfault ntop from the following platforms:
Mandrake Linux v8.1 kernel 2.4.8-26mdk with Netscape v6.1
(Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2) Gecko/20010726
Netscape6/6.1)
Mandrake Linux v8.1 kernel 2.4.8-26mdk with Opera 5.0 for Linux -
20010510 Build 024 -[5]
Windows 2000 Server 5.00.2195 SP2 with Netscape v6.2.2
(Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1)
Gecko/20020314 Netscape6/6.2.2)
I was unable to duplicate this segfault with the following browsers:
Internet Explorer v6.0.2600.0000
Konqueror v2.2.1
I did not test any other platforms or browsers than the ones listed
here. I have notified ntop and haven't received a response yet.
Thanks,
jason
(8304929) /JP <px@negative.zeroday.net>/--(Ombruten)
8310850 2002-04-18 13:39 +1200 /65 rader/ Craig Humphrey <Craig.Humphrey@ChapmanTripp.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-19 01:51 av Brevbäraren
Extern mottagare: 'JP' <px@negative.zeroday.net>
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: 'ntop@unipi.it' <ntop@unipi.it>
Mottagare: Bugtraq (import) <21930>
Ärende: RE: segfault in ntop
------------------------------------------------------------
From: Craig Humphrey <Craig.Humphrey@ChapmanTripp.com>
To: 'JP' <px@negative.zeroday.net>, bugtraq@securityfocus.com
Cc: "'ntop@unipi.it'" <ntop@unipi.it>
Message-ID: <3D6694DB1788D311BA3E00508B5DFFE7036F90D1@aklmessage01>
I think this was fixed recently as it doesn't happen in my v.2.0.99
build (from a recent cvs).
> -----Original Message-----
> From: JP [mailto:px@negative.zeroday.net]
> Sent: Thursday, 18 April 2002 5:13 AM
> To: bugtraq@securityfocus.com
> Subject: segfault in ntop
>
>
> I'm sorry if this has already been discussed on here before,
> but I went
> through the thread and saw nothing on it.
>
> I was able to remotley segfault ntop v.2.0.0 using Netscape
> 6.1 by simply
> specifying a command in the url location bar. For example:
>
> http://ntop.site.com:port/`ls`
>
> That above command will cause ntop to segfault and core dump.
> I tried a
> few different commands, ls and su segfaulted ntop, whereas
> everything else
> I tried gave a 403 error, but ntop stayed online.
>
> Here's information about my ntop platform:
>
> Mandrake Linux v8.1 kernel 2.4.8-26mdk
> ntop v.2.0.0 MT [i686-pc-linux-gnu] (01/24/02 03:04:18 PM build)
>
> I was able to segfault ntop from the following platforms:
>
> Mandrake Linux v8.1 kernel 2.4.8-26mdk with Netscape v6.1
> (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2)
> Gecko/20010726 Netscape6/6.1)
>
> Mandrake Linux v8.1 kernel 2.4.8-26mdk with Opera 5.0 for
> Linux - 20010510 Build 024 -[5]
>
> Windows 2000 Server 5.00.2195 SP2 with Netscape v6.2.2
> (Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1)
> Gecko/20020314 Netscape6/6.2.2)
>
> I was unable to duplicate this segfault with the following browsers:
>
> Internet Explorer v6.0.2600.0000
> Konqueror v2.2.1
>
> I did not test any other platforms or browsers than the ones
> listed here.
> I have notified ntop and haven't received a response yet.
>
> Thanks,
>
> jason
>
(8310850) /Craig Humphrey <Craig.Humphrey@ChapmanTripp.com>/(Ombruten)
8315330 2002-04-19 08:58 -0500 /162 rader/ Burton M. Strauss III <Burton@ntopsupport.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-19 22:21 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21962>
Kommentar till text 8304929 av JP <px@negative.zeroday.net>
Ärende: RE: segfault in ntop
------------------------------------------------------------
From: "Burton M. Strauss III" <Burton@ntopsupport.com>
To: <bugtraq@securityfocus.com>
Message-ID: <JIEPJGFPFMFIGBNCPKGGAEPGCFAA.Burton@ntopsupport.com>
(Resend - apparently this didn't get through the 1st time)
The current version of ntop (2.0.99) - 12April2002 snapshot - does not
crash. Tested under 4.79 and 6.2.2. Also IE 5.5.
The patch in traceEvent to fix the previously reported security
problem (references below) also fixes this problem. That version has
been available in ntop snapshots since 01Mar2002.
Snapshots and news are available at the ntop community support pages,
http://snapshot.ntop.org/.
ntop 2.1 (a new stable release) is being prepared for release.
-----Burton
Bugtraq references
Original traceEvent posting:
http://online.securityfocus.com/archive/1/259642
Reply: http://online.securityfocus.com/archive/1/259723
Second traceEvent posting:
http://online.securityfocus.com/archive/1/267053 Reply:
http://online.securityfocus.com/archive/1/267180
==============================
What appears to be the difference between NS4.79/IE5.5 and NS6.2.2 is
that Netscape 6.2.2 converts the url from
http://192.168.xx.yy:pppp/`ls` to
http://192.168.xx.yy:pppp/%60ls%60
ntop 2.0.99 (12Apr2002 snapshot) returns
"Unable to generate the page requested [%60]"
Netscape 4.79 reports "The document contains no data. Try again later
or contact the server's administrator."
IE 5.50 gives a standard internally generated error page.
Note that under both RFC 1945 - http 1.0
(http://www.w3.org/Protocols/rfc1945/rfc1945) and RFC 2068 - http 1.1
(http://www.w3.org/Protocols/rfc2068/rfc2068), the character `
appears to be legal - it falls into the "national" category.
The results from IE 5.5 and NS 4.79 for ntop 2.0 are the same as
above. With the conversion from ` -> %60, NS 6.2.2 does in fact
crash ntop 2.0 -- IF the -L (use syslog) flag is not specified...
Wait please: ntop is coming up...
17/Apr/2002 18:18:59 Initializing IP services...
17/Apr/2002 18:18:59 Initializing SSL...
17/Apr/2002 18:18:59 SSL initialized successfully
17/Apr/2002 18:18:59 Initializing GDBM...
17/Apr/2002 18:18:59 Initializing network devices...
17/Apr/2002 18:18:59 ntop v.2.0.0 MT (SSL) [i686-pc-linux-gnu] (02/28/02
06:47:29 AM build)
17/Apr/2002 18:18:59 Listening on [eth0,eth1]
17/Apr/2002 18:18:59 Copyright 1998-2001 by Luca Deri <deri@ntop.org>
17/Apr/2002 18:18:59 Get the freshest ntop from http://www.ntop.org/
17/Apr/2002 18:18:59 Initializing...
...
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 8201 (LWP 18072)]
__wcslen (s=0x3ff) at wcslen.c:30
30 wcslen.c: No such file or directory.
in wcslen.c
(gdb) info stack
#0 __wcslen (s=0x3ff) at wcslen.c:30
#1 0x4051a344 in __wcsrtombs (dst=0x0, src=0x44630ca8, len=0,
ps=0x44630cac) at wcsrtombs.c:67
#2 0x404e3957 in _IO_vfprintf (s=0x405c06e0,
format=0x4463124c " 12. Requested URL = '/%60ls%60', length = -1\n",
ap=0x44631204)
at vfprintf.c:1524
#3 0x404ebe0c in printf (format=0x4463124c " 12. Requested URL =
'/%60ls%60', length = -1\n")
at printf.c:33
#4 0x40210466 in traceEvent (eventTraceLevel=3, file=0x4005838b "http.c",
line=1809,
format=0x400580c0 "%7d. Requested URL = '%s', length = %d\n") at
util.c:2173
#5 0x40036c99 in handleHTTPrequest (from={s_addr = 53127360}) at
http.c:1809
#6 0x400530d1 in handleSingleWebConnection (fdmask=0x44631a0c) at
webInterface.c:1155
#7 0x40052fa7 in handleWebConnections (notUsed=0x0) at webInterface.c:1086
#8 0x40450c6f in pthread_start_thread (arg=0x44631be0) at manager.c:284
#9 0x40450d5f in pthread_start_thread_event (arg=0x44631be0) at
manager.c:308
(gdb)
With -L in the parameters, the error is properly caught and reported
(albeit incompletely) in the log:
Apr 17 18:49:49 tigger ntop[18115]: 10. Requested URL = '/`ls`', length
= -1
Apr 17 18:50:06 tigger ntop[18115]: 11. Requested URL = '/
Apr 17 18:50:06 tigger ntop[18115]: Found % : @ \r or \n in URL (
Apr 17 18:50:06 tigger ntop[18115]: 12. Requested URL = '/style.css',
length = -1
-----Original Message-----
From: JP [mailto:px@negative.zeroday.net]
Sent: Wednesday, April 17, 2002 12:13 PM
To: bugtraq@securityfocus.com
Subject: segfault in ntop
I'm sorry if this has already been discussed on here before, but I
went through the thread and saw nothing on it.
I was able to remotley segfault ntop v.2.0.0 using Netscape 6.1 by
simply specifying a command in the url location bar. For example:
http://ntop.site.com:port/`ls`
That above command will cause ntop to segfault and core dump. I
tried a few different commands, ls and su segfaulted ntop, whereas
everything else I tried gave a 403 error, but ntop stayed online.
Here's information about my ntop platform:
Mandrake Linux v8.1 kernel 2.4.8-26mdk
ntop v.2.0.0 MT [i686-pc-linux-gnu] (01/24/02 03:04:18 PM build)
I was able to segfault ntop from the following platforms:
Mandrake Linux v8.1 kernel 2.4.8-26mdk with Netscape v6.1
(Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2) Gecko/20010726
Netscape6/6.1)
Mandrake Linux v8.1 kernel 2.4.8-26mdk with Opera 5.0 for Linux -
20010510 Build 024 -[5]
Windows 2000 Server 5.00.2195 SP2 with Netscape v6.2.2
(Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1)
Gecko/20020314 Netscape6/6.2.2)
I was unable to duplicate this segfault with the following browsers:
Internet Explorer v6.0.2600.0000
Konqueror v2.2.1
I did not test any other platforms or browsers than the ones listed
here. I have notified ntop and haven't received a response yet.
Thanks,
jason
(8315330) /Burton M. Strauss III <Burton@ntopsupport.com>/(Ombruten)