This problem was been reported on the ntop mailing list on 2/28/2002 (http://listmanager.unipi.it/pipermail/ntop-dev/2002-February/000489.html) and immediately patched... It was reported on bugtraq on 3/5/2002 by hologram [holo@brained.org] (http://online.securityfocus.com/archive/1/259642). At the time (http://online.securityfocus.com/archive/1/259723), I said "Although this bug may allow for arbitrarily code execution, the risk is limited if the user follows good practices. Still, an upgrade to snapshot versions on/after 01Mar2002 is recommended to all ntop users. ntop requires root privileges at startup in order to place the network interface into promiscuous mode. ntop provides the -u <username> parameter to allow ntop to run as an unprivileged user, as soon as possible after execution begins. This occurs BEFORE the web server is started. If the user continues to run as root, a WARNING message is displayed. A pending patch will further tighten down the security screen on requested URLs." The patched version is in ntop snapshots (available at http://snapshot.ntop.org) beginning with ntop-02-03-01.tgz (01Mar2002) and all subsequent versions. ntop 2.1, due to be released soon, will (of course) include the fix for this problem (and many others, not security related). The URLsecurity patch has been included, and the WARNING message been increased to an ERROR. Unless the user EXPLICITY adds the -u root parameter, ntop will not run. <soapbox> Anyway as to your supposed exploit... let's display THREE lines of code: #ifdef DEBUG traceEvent(TRACE_INFO, "User='%s' - Pw='%s [%s]'\n", user, pw, data_data.dptr); #endif Makes a little difference, eh? In addition, this routine is part of void doAddUser(), which is invoked from the ntop web server. The ntop web server is started after ntop has given up it's root privileges and assumed the given (-u parameter) user id's privileges. If that user is properly defined to have read/write access only to ntop's files, then the risks are minimal. </soapbox> This is not to say that ALL uses of traceEvent() occur after privileges are dropped, that's why the fix from Peter Suschlik was IMMEDIATELY incorporated into ntop! <soapbox> As to the issue of "BufferOverflow()": The usual practice in poorly coded software seems to be not to check the return code from functions such as printf(), sprintf(), snprintf(). Instead, ntop uses snprintf() and checks the return code and generates a debugging message to allow us to further improve the code. snprintf() will not overflow the buffer. In addition, the size of every buffer ntop uses has been adjusted to be sufficiently large to handle the data - the test is merely a belt & suspenders test. </soapbox> However - OBVIOUSLY - if you find a situation where user generated data can cause an overflow in open code (vs. debug), we will take all necessary steps to protect the application. Please send this in confidence to Luca at his published address. A title such as "Security hole in ntop" is enough to get his attention <grin>. Can ntop be improved? Certainly! The developers are always interested in further improving ntop. If you have any other issues, corrections or suggestions, please don't hesitate to send them in. As it says in the ntop web server itself and on http://www.ntop.org: "ntop's author strongly believes in open source software and encourages everyone to modify, improve and extend ntop in the interest of the whole Internet community according to the enclosed license (see COPYING). Problems, bugs, questions, desirable enhancements, source code contributions, etc., should be sent to the mailing list." Unfortunately, the mailing list has been closed due to Spam). The contact address remains ntop@ntop.org (information about the mailing lists is at http://www.ntop.org/needHelp.html). One final point - unfortunately, the text you are quoting about ntop is for the 1.3 version and has not yet been updated for 2.0 - the major difference is that intop has been marginalized in favor of the much richer web based interface. Thanks! -----Burton -----Original Message----- From: gobbles@hushmail.com [mailto:gobbles@hushmail.com] Sent: Thursday, April 11, 2002 8:42 AM To: bugtraq@securityfocus.com; vulnwatch@vulnwatch.org; vuln-dev@securityfocus.com; bugs@securitytracker.com Subject: ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear World, Below is copy paste of GOBBLES advisory for NTOP. NTOP available from www.ntop.org. This serious remote root bug in logging mechanism. Time for alert and disclosure is now. Website with other advisories at http://www.bugtraq.org. It look like shit because on free host. GOBBLES poor researcher who not out for the big dollar, and nothing that can be done about this at this time. The question: "Freedom vs. Security: who will win?" The answer: GOBBLES. It time for full disclosure. All bets off. GOBBLES SECURITY ADVISORY #31 Preauthentication Remote Root Hole in NTOP Forward: GOBBLES is afraid that zen-parse have found a copy of private GOBBLES exploit for this vulnerability and will try to contact vendor in sneaky fashion to pretend he found bug, without issuing typical conditional advisory full of "if this present, and this present, and the moon is full, two month later you get uid(uucp) on default install of Redhat Linux 1.1" for fame advisory, which seem to be typical practice for this shady character, thus forcing GOBBLES to quick release of advisory with no time to contact vendor. Though GOBBLES not to offer apologies to anyone this might hurt, because at this point GOBBLES not really give a fuck about things. No more "I found exploit in wild, must contact developer like good ethical whitehat loser." This is not actual ethical action. Proper credit must go to proper researcher. This now race condition. GOBBLES to come out victorious. 3APAPA, GOBBLES check your silly website. Do not try to claim you find this 20 years ago and say, "GOBBLES, you still behind the leaders." GOBBLES is the leader. There no competition here, especially from you. . . Vendor Website: http://www.ntop.org Threat Level: "So high, that Securityfocus will stop blocking our submissions and allow it on their lists... at least, we hope!" Description of Software: hehe, GOBBLES flex he wrists for copy paste and show the eager penetrator the following: (p1 of 2) What's ntop? ntop is a Unix tool that shows the network usage, similar to what the popular top Unix command does. ntop is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform and on Win32 as well. I have developed libpcap for Win32 (port of libpcap to Win32) in order to have a single ntop source tree. ntop comes with two applications: the 'classical' ntop that sports an embedded web server, and intop (interactive ntop) is basically a network shell based on the ntop engine. intop provides a powerful and flexible interface to the ntop packet sniffer. Since ntop has grown so much in functionality and it cannot be simply considered a network-brower, the problem of capturinag and showing network usage has been split. As of version 1.3 the ntop engine captures packets, performs traffic analysis and information storage. intop implements a bare, command line based interface, with an apparently spartan look and feel, but a lot of functionality already implemented, and others planned for future releases. [intop1.gif] [intop2.gif] Users can use a a web browser (e.g. netscape) to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntop can be seen as a simple RMON-like agent with an embedded web interface. [ntop1s.gif] [ntop2s.gif] What can ntop do for me? * Sort network traffic according to many protocols * Show network traffic sorted according to various criteria * Display traffic statistics * Show IP traffic distribution among the various protocols * Analyse IP traffic and sort it according to the source/destination * Display IP Traffic Subnet matrix (who's talking to who?) * Report IP protocol usage sorted by protocol type Platforms * Unix * Win32 Media * Loopback * Ethernet * Token Ring * PPP * Raw IP * FDDI IP Protocols Fully User Configurable Additional Features * Embedded HTTP server * Network Flows * Local Traffic Analysis * Multithread * Lightweight Network IDS (Intrusion Detection System) * C++/Perl lightweight API for accessing ntop from remote * Internet Domain Statistics * CGI support * Advanced 'per user' HTTP password protection with encrypted passwords * Support for SQL database for storing persistent traffic information * Remote hosts OS identification (via nmap) * HTTPS (Secure HTTP via OpenSSL) * libwrap support * Virtual/multiple network interfaces support * Graphical Charts (via gdchart) * Perl Interface * WAP support hehehehehehehe ;pppppppppppppppppp Description of Problem(s): Before GOBBLES give you information needed to get uid(0) everywhere, he want to show you something about ntop which may be something used to discourage you from using lame software. GOBBLES@dev02:/home/hacking/ntop > grep -r "Buffer overflow" * -r |wc -l 513 Programmer know he own code is lame and have issues, but all he can do to fix is tell you why he program sucks. . . On to more pressing matter. >From util.c, we look at content of function traceLevel(). ... switch(traceLevel) { case 0: syslog(LOG_ERR, buf); break; case 1: syslog(LOG_WARNING, buf); break; case 2: syslog(LOG_NOTICE, buf); break; default: syslog(LOG_INFO, buf); break; } #else syslog(LOG_ERR, buf); ... Uh oh, there some bugs! But now important question is, can GOBBLES control buf with malicious GOBBLEScode to execute rm -rf /* on machine? Lets take a look at how function traceLevel() called throughout rest of code. Time to look at admin.c traceEvent(TRACE_INFO, "User='%s' - Pw='%s [%s]'\n", user, pw, data_data.dptr); Uh oh. Option to log username and password sent to http for authentication to ntop, when faulty syslog() and printf() statement to be called. This remote and root. Beware. Fix: None at this time. Thank zen-parse for being leech. Suggested Workaround: Don't run software on network that can report buffer overflows in itself from 513 different locations in the code. Greets: Our #1 fan, Dave Aitel. Dave, GOBBLES love you -- you get free GOBBLES Security tshirt at Defcon. Love to all (but especially to "bob"), GOBBLES Security http://www.bugtraq.org GOBBLES@hushmail.com ps: GOBBLES currently in communication with Sun Microsystems about lethal remote bug in Solaris 6, 7, and 8. Sun has asked GOBBLES to wait one month to release advisory so that service can be fixed. GOBBLES not sure if he can wait this long, but will try very hard to not click "send" for while longer on hole. If you run Solaris, likely you are vulnerable. But you will have to wait. No joke, this serious remote root hole. GOBBLES turned blind eye to argument from hackers about danger of releasing vulnerabilities. GOBBLES know that only hackers care about non-disclosure. Anyone else is likely to be very boring. :)))) Hey, GOBBLES considered two ways of getting fame and recognition for he world-class security group... 1. put up a message board on bugtraq.org with gobbles group name branded all over it and let world know he have private exploits... 2. submit ground-breaking research to the securityfocus mailing lists..... hey, the latter has a bigger audience ;))))))) Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wlwEARECABwFAjy1k3cVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPsUEA n0YCfbYbhyvYgWYIolGRX8FVIbCHAJ0dLAzuHGB7ruhgsINM38dBPJ2Opw== =/r5w -----END PGP SIGNATURE-----
