COMMAND

    ntop

SYSTEMS AFFECTED

    ntop prior to 1.3.1

PROBLEM

    Following is based on [ Hackerslab bug_paper ].  ntop displays top
    network users.  With -w switch it starts ntop in web mode.   Users
    can attach  their web  browsers to  the specified  port and browse
    traffic information remotely.

    Supposing to start ntop at the  port 3000 (ntop -w 3000), the  URL
    to access is

        http://hostname:3000/

    The file ~/.ntop specifies the HTTP user/password of those  people
    who are allowed to  access ntop.  If  the ~/.ntop file is  missing
    no  security  will  be  used  hence  everyone  can  access traffic
    information.  A simple .ntop file is the following:

        # # .ntop File format
        #  #  user<tab>/<space>pw
        # # luca      linux

    Please note that an HTTP server is NOT needed in order to use  the
    program in interactive mode.*  'bdf' program has SUID  permission.
    If use  'ntop' in  web mode,  it's web  root is  "/etc/ntop/html".
    It's web mode that does not check URL path.

    So if URL is

        http://URL:port/../../shadow

    remote user will read all file.

SOLUTION

    The problem above has been reported to the author and it has  been
    fixed immediately.  There  were few other security  related issues
    which have  been fixed  as well.   With ersion  1.3.1 it  properly
    returns 401 code when trying to access '..' paths.

    The  "ntop"  package  is  not  a  part  of  Debian 2.1.  No fix is
    necessary.   As  for  Debian  2.2  alias  potato,  this version of
    Debian is  not yet  released.   Fixes are  currently available for
    Alpha, ARM, Intel ia32, Motorola 680x0, PowerPC and the Sun  Sparc
    architecture:

        http://security.debian.org/dists/stable/updates/main/source/ntop_1.2a7-11.diff.gz
        http://security.debian.org/dists/stable/updates/main/source/ntop_1.2a7-11.dsc
        http://security.debian.org/dists/stable/updates/main/source/ntop_1.2a7.orig.tar.gz

        http://security.debian.org/dists/stable/updates/main/binary-alpha/ntop_1.2a7-11_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-arm/ntop_1.2a7-11_arm.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/ntop_1.2a7-11_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/ntop_1.2a7-11_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/ntop_1.2a7-11_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/ntop_1.2a7-11_sparc.deb

    Debian Unstable alias woody is  not yet released and reflects  the
    current development release.  Fixes are the same as for potato.

    For RedHat:

        ftp://updates.redhat.com/powertools/6.2/sparc/ntop-1.3.1-1.sparc.rpm
        ftp://updates.redhat.com/powertools/6.2/i386/ntop-1.3.1-1.i386.rpm
        ftp://updates.redhat.com/powertools/6.2/SRPMS/ntop-1.3.1-1.src.rpm

    For FreeBSD:

        1) Remove the setuid bit from the ntop binary so that only the
           superuser may execute it.   Depending on local policy  this
           vulnerability may not present significant risk.
        2) Avoid  using  ntop  -w.  If  ntop -w is required,  consider
           imposing access controls to limit access to the ntop server
           port (e.g. using a perimeter firewall, or ipfw(8) or ipf(8)
           on   the   local   machine).   Note   that   specifying   a
           username/password access list within the ntop configuration
           file  is  insufficient,  as  noted  above.   Users who pass
           the  access  restrictions  can  still  gain  privileges  as
           described above.

    Due to  the lack  of attention  to security  in the  ntop port  no
    simple fix is possible: for  example, the local root overflow  can
    easily be fixed, but since ntop holds a privileged network  socket
    a member of the wheel group could still obtain direct read  access
    to all network traffic by exploiting other vulnerabilities in  the
    program,  which  remains  a  technical  security  violation.   The
    FreeBSD port has been changed to disable '-w' mode and remove  the
    setuid bit, so that the  command is only available locally  to the
    superuser.   Full  functionality  will  be  restored once the ntop
    developers have addressed these security concerns and provided  an
    adequate  fix  -  this  advisory  will  be  reissued at that time.
    Patch:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/ntop-1.1.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/ntop-1.1.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/ntop-1.1.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/ntop-1.1.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/ntop-1.1.tgz