8092289 2002-03-04 07:46 -0500 /110 rader/ hologram <holo@brained.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-05 09:46 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21267>
Ärende: [H20020304]: Remotely exploitable format string vulnerability in ntop
------------------------------------------------------------
From: hologram <holo@brained.org>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.BSO.4.33.0203040745300.3145-200000@brained.org>
h o l o g r a m | s e c u r i t y | a d v i s o r y
_______________________________________________________________________
Advisory ID : H20020304
Software : ntop
Synopsis : Remotely exploitable format
string vulnerability in ntop.
Vendor : Luca Deri <www.ntop.org>
Verified : Version 2.0
Author : hologram <holo@brained.org>
_______________________________________________________________________
| Overview |-----------------------------------------------------------
ntop is a UNIX tool that shows the network usage, similar to what the
popular top UNIX command does on the system level. A format string
vulnerability has been discovered on the programmatic level and
is currently known to affect the UNIX version, however, the Windows
port of the program remains untested. The vulnerability allows
for remote arbitrary code execution.
| Vulnerability |------------------------------------------------------
The format string vulnerability lies within the traceEvent() function
which is declared as:
void traceEvent(int eventTraceLevel, char* file,
int line, char * format, ...)
in the file util.c. The third argument, as is apparent, is a format
string to be later manipulated by the traceEvent() call.
Further into the code, the following is made visible:
...
va_list va_ap;
va_start (va_ap, format);
...
char buf[BUF_SIZE];
...
#ifdef WIN32
/* Windows lacks of vsnprintf */
vsprintf(buf, format, va_ap);
#else
vsnprintf(buf, BUF_SIZE-1, format, va_ap);
#endif
if(!useSyslog) { // syslog() logging is not enabled
printf(buf); // vulnerability
...
#ifndef WIN32
else { // syslog() logging is enabled
#if 0
switch(traceLevel) {
case 0:
syslog(LOG_ERR, buf); // vulnerability
break;
case 1:
syslog(LOG_WARNING, buf); // vulnerability
break;
case 2:
syslog(LOG_NOTICE, buf); // vulnerability
break;
default:
syslog(LOG_INFO, buf); // vulnerability
break;
}
#else
syslog(LOG_ERR, buf);
...
Obviously, a call such as syslog(LOG_ERR, buf) should be replaced
with syslog(LOG_ERR, "%s", buf) to remove the insecurity.
The bug can be exploited whether or not syslog() logging is enabled
because of the erroneous printf(buf) call, as well.
One of the simplest points of entry I have determined is if the -w
option was specified when ntop was ran, which allows web access
to the ntop information. A HTTP request of the following:
GET /%s%s%s HTTP/1.0
will cause program termination (the HTTP deamon for ntop is normally
listening on port 3000).
The vulnerability does allow remote execution of arbitrary commands,
and if concerned, an appropriate fix should be quickly applied.
-------------------------------| Copyright 2002. All rights reserved. |
(8092289) /hologram <holo@brained.org>/---(Ombruten)
Bilaga (text/plain) i text 8092290
Kommentar i text 8096243 av Burton M. Strauss III <BStrauss@feliscatus.org>
8092290 2002-03-04 07:46 -0500 /105 rader/ hologram <holo@brained.org>
Bilagans filnamn: "H20020304.txt"
Importerad: 2002-03-05 09:46 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21268>
Bilaga (text/plain) till text 8092289
Ärende: Bilaga (H20020304.txt) till: [H20020304]: Remotely exploitable format string vulnerability in ntop
------------------------------------------------------------
h o l o g r a m | s e c u r i t y | a d v i s o r y
_______________________________________________________________________
Advisory ID : H20020304
Software : ntop
Synopsis : Remotely exploitable format
string vulnerability in ntop.
Vendor : Luca Deri <www.ntop.org>
Verified : Version 2.0
Author : hologram <holo@brained.org>
_______________________________________________________________________
| Overview |-----------------------------------------------------------
ntop is a UNIX tool that shows the network usage, similar to what
the
popular top UNIX command does on the system level. A format
string
vulnerability has been discovered on the programmatic level
and
is currently known to affect the UNIX version, however, the
Windows
port of the program remains untested. The vulnerability
allows
for remote arbitrary code execution.
| Vulnerability |------------------------------------------------------
The format string vulnerability lies within the traceEvent()
function
which is declared as:
void traceEvent(int eventTraceLevel, char* file,
int line, char * format, ...)
in the file util.c. The third argument, as is apparent, is a format
string to be later manipulated by the traceEvent() call.
Further into the code, the following is made visible:
...
va_list va_ap;
va_start (va_ap, format);
...
char buf[BUF_SIZE];
...
#ifdef WIN32
/* Windows lacks of vsnprintf */
vsprintf(buf, format, va_ap);
#else
vsnprintf(buf, BUF_SIZE-1, format, va_ap);
#endif
if(!useSyslog) { // syslog() logging is not enabled
printf(buf); // vulnerability
...
#ifndef WIN32
else { // syslog() logging is enabled
#if 0
switch(traceLevel) {
case 0:
syslog(LOG_ERR, buf); // vulnerability
break;
case 1:
syslog(LOG_WARNING, buf); // vulnerability
break;
case 2:
syslog(LOG_NOTICE, buf); // vulnerability
break;
default:
syslog(LOG_INFO, buf); // vulnerability
break;
}
#else
syslog(LOG_ERR, buf);
...
Obviously, a call such as syslog(LOG_ERR, buf) should be replaced
with syslog(LOG_ERR, "%s", buf) to remove the insecurity.
The bug can be exploited whether or not syslog() logging is enabled
because of the erroneous printf(buf) call, as well.
One of the simplest points of entry I have determined is if the -w
option was specified when ntop was ran, which allows web access
to the ntop information. A HTTP request of the following:
GET /%s%s%s HTTP/1.0
will cause program termination (the HTTP deamon for ntop is normally
listening on port 3000).
The vulnerability does allow remote execution of arbitrary commands,
and if concerned, an appropriate fix should be quickly applied.
-------------------------------| Copyright 2002. All rights reserved. |
(8092290) /hologram <holo@brained.org>/---(Ombruten)
8096243 2002-03-05 07:44 -0600 /156 rader/ Burton M. Strauss III <BStrauss@feliscatus.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-05 21:37 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: Ntop <ntop@unipi.it>
Extern kopiemottagare: Ntop-Dev <ntop-dev@unipi.it>
Extern kopiemottagare: Luca Deri <l.deri@tecsiel.it>
Extern kopiemottagare: Rocco Carbone <rocco@tecsiel.it>
Extern kopiemottagare: hologram <holo@brained.org>
Mottagare: Bugtraq (import) <21271>
Kommentar till text 8092289 av hologram <holo@brained.org>
Ärende: RE: [H20020304]: Remotely exploitable format string vulnerability in ntop
------------------------------------------------------------
From: "Burton M. Strauss III" <BStrauss@feliscatus.org>
To: <bugtraq@securityfocus.com>
Cc: "Ntop" <ntop@unipi.it>, "Ntop-Dev" <ntop-dev@unipi.it>,
"Luca Deri" <l.deri@tecsiel.it>, "Rocco Carbone" <rocco@tecsiel.it>,
"hologram" <holo@brained.org>
Message-ID: <HBEBKGPKAEJLGMLAANAOEEOBDLAA.BStrauss@feliscatus.org>
The existence of this bug - but NOTHING about it's security
implications - was posted by one "Peter Suschlik (peter@zilium.de)"
to the ntop-dev mailing list on 28Feb2002:
http://listmanager.unipi.it/pipermail/ntop-dev/2002-February/000489.html
I'm not ntop's author (Luca Deri), so I can't speak as to whether
this is the same individual, or whether an attempt was made to
contact the developers.
The source was corrected in snapshots (available at
http://snapshot.ntop.org) beginning with ntop-02-03-01.tgz and all
subsequent versions.
Although this bug may allow for arbitrarily code execution, the risk
is limited if the user follows good practices. Still, an upgrade to
snapshot versions on/after 01Mar2002 is recommended to all ntop users.
ntop requires root privileges at startup in order to place the
network interface into promiscuous mode. ntop provides the -u
<username> parameter to allow ntop to run as an unprivileged user, as
soon as possible after execution begins. This occurs BEFORE the web
server is started. If the user continues to run as root, a WARNING
message is displayed.
A pending patch will further tighten down the security screen on
requested URLs.
This message is being copied to the two ntop mailing lists and I will
also add this information to the ntop community FAQs, also available
at snapshot.
-----Burton
-----Original Message-----
From: hologram [mailto:holo@brained.org]
Sent: Monday, March 04, 2002 6:46 AM
To: bugtraq@securityfocus.com
Subject: [H20020304]: Remotely exploitable format string vulnerability
in ntop
h o l o g r a m | s e c u r i t y | a d v i s o r y
_______________________________________________________________________
Advisory ID : H20020304
Software : ntop
Synopsis : Remotely exploitable format
string vulnerability in ntop.
Vendor : Luca Deri <www.ntop.org>
Verified : Version 2.0
Author : hologram <holo@brained.org>
_______________________________________________________________________
| Overview |-----------------------------------------------------------
ntop is a UNIX tool that shows the network usage, similar to what the
popular top UNIX command does on the system level. A format string
vulnerability has been discovered on the programmatic level and
is currently known to affect the UNIX version, however, the Windows
port of the program remains untested. The vulnerability allows
for remote arbitrary code execution.
| Vulnerability |------------------------------------------------------
The format string vulnerability lies within the traceEvent() function
which is declared as:
void traceEvent(int eventTraceLevel, char* file,
int line, char * format, ...)
in the file util.c. The third argument, as is apparent, is a format
string to be later manipulated by the traceEvent() call.
Further into the code, the following is made visible:
...
va_list va_ap;
va_start (va_ap, format);
...
char buf[BUF_SIZE];
...
#ifdef WIN32
/* Windows lacks of vsnprintf */
vsprintf(buf, format, va_ap);
#else
vsnprintf(buf, BUF_SIZE-1, format, va_ap);
#endif
if(!useSyslog) { // syslog() logging is not enabled
printf(buf); // vulnerability
...
#ifndef WIN32
else { // syslog() logging is enabled
#if 0
switch(traceLevel) {
case 0:
syslog(LOG_ERR, buf); // vulnerability
break;
case 1:
syslog(LOG_WARNING, buf); // vulnerability
break;
case 2:
syslog(LOG_NOTICE, buf); // vulnerability
break;
default:
syslog(LOG_INFO, buf); // vulnerability
break;
}
#else
syslog(LOG_ERR, buf);
...
Obviously, a call such as syslog(LOG_ERR, buf) should be replaced
with syslog(LOG_ERR, "%s", buf) to remove the insecurity.
The bug can be exploited whether or not syslog() logging is enabled
because of the erroneous printf(buf) call, as well.
One of the simplest points of entry I have determined is if the -w
option was specified when ntop was ran, which allows web access
to the ntop information. A HTTP request of the following:
GET /%s%s%s HTTP/1.0
will cause program termination (the HTTP deamon for ntop is normally
listening on port 3000).
The vulnerability does allow remote execution of arbitrary commands,
and if concerned, an appropriate fix should be quickly applied.
-------------------------------| Copyright 2002. All rights reserved. |
(8096243) /Burton M. Strauss III <BStrauss@feliscatus.org>/(Ombruten)