[UNIX] Remotely Exploitable Format String Vulnerability in Ntop (%s, Web Server)
From: support@securiteam.comDate: 03/04/02
- Previous message: support@securiteam.com: "[TOOL] BSD-AirTools, WEP Related Tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 4 Mar 2002 23:34:48 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Remotely Exploitable Format String Vulnerability in Ntop (%s, Web Server)
------------------------------------------------------------------------
SUMMARY
<http://www.ntop.org/> Ntop is a UNIX tool that shows the network usage,
similar to what the popular top UNIX command does on the system level. A
format string vulnerability has been discovered on the programmatic level
and is currently known to affect the UNIX version, however, the Windows
port of the program remains untested. The vulnerability allows for remote
arbitrary code execution.
DETAILS
The format string vulnerability lies within the traceEvent() function
which is declared as:
void traceEvent(int eventTraceLevel, char* file,
int line, char * format, ...)
In the file util.c. The third argument, as is apparent, is a format string
to be later manipulated by the traceEvent() call.
Further into the code, the following is made visible:
..
va_list va_ap;
va_start (va_ap, format);
..
char buf[BUF_SIZE];
..
#ifdef WIN32
/* Windows lacks of vsnprintf */
vsprintf(buf, format, va_ap);
#else
vsnprintf(buf, BUF_SIZE-1, format, va_ap);
#endif
if(!useSyslog) { // syslog() logging is not enabled
printf(buf); // vulnerability
..
#ifndef WIN32
else { // syslog() logging is enabled
#if 0
switch(traceLevel) {
case 0:
syslog(LOG_ERR, buf); // vulnerability
break;
case 1:
syslog(LOG_WARNING, buf); // vulnerability
break;
case 2:
syslog(LOG_NOTICE, buf); // vulnerability
break;
default:
syslog(LOG_INFO, buf); // vulnerability
break;
}
#else
syslog(LOG_ERR, buf);
..
Obviously, a call such as syslog(LOG_ERR, buf) should be replaced with
syslog(LOG_ERR, "%s", buf) to remove the insecurity.
The bug can be exploited whether or not syslog() logging is enabled
because of the erroneous printf(buf) call, as well.
One of the simplest points of entry we have determined is if the -w option
was specified when ntop was ran, which allows web access to the ntop
information. A HTTP request of the following:
GET /%s%s%s HTTP/1.0
Will cause program termination (the HTTP daemon for ntop is normally
listening on port 3000).
The vulnerability does allow remote execution of arbitrary commands, and
if concerned, an appropriate fix should be quickly applied.
ADDITIONAL INFORMATION
The information has been provided by <mailto:holo@brained.org> hologram.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] BSD-AirTools, WEP Related Tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
