Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps N-Z :: lnx5164.htm

ntop remote format string overflow in web interface
5th Mar 2002 [SBWID-5164]

	ntop remote format string overflow in web interface


	ntop 2.0, others ??


	hologram <> posted :


	The format string vulnerability lies within  the  traceEvent()  function
	which is declared as:

	void traceEvent(int eventTraceLevel, char* file,

	  int line, char * format, ...)


	in the file util.c. The third argument, as  is  apparent,  is  a  format
	string to be later manipulated by the traceEvent() call.

	Further into the code, the following is made visible:



	  va_list va_ap;

	  va_start (va_ap, format);




	    char buf[BUF_SIZE];




	#ifdef WIN32

	      /* Windows lacks of vsnprintf */

	      vsprintf(buf, format, va_ap);


	      vsnprintf(buf, BUF_SIZE-1, format, va_ap);



	      if(!useSyslog) {  // syslog() logging is not enabled

		printf(buf);  // vulnerability




	#ifndef WIN32

	      else {  // syslog() logging is enabled

	#if 0

		switch(traceLevel) {

		case 0:

		  syslog(LOG_ERR, buf);  // vulnerability


		case 1:

		  syslog(LOG_WARNING, buf);  // vulnerability


		case 2:

		  syslog(LOG_NOTICE, buf);  // vulnerability



		  syslog(LOG_INFO, buf);   // vulnerability




		syslog(LOG_ERR, buf);




	Obviously, a call such as syslog(LOG_ERR, buf) should be  replaced  with
	syslog(LOG_ERR, \"%s\", buf) to remove the insecurity.

	The bug can be exploited whether or  not  syslog()  logging  is  enabled
	because of the erroneous printf(buf) call, as well.

	One of the simplest points of entry I  have  determined  is  if  the  -w
	option was specified when ntop was ran, which allows web access  to  the
	ntop information. A HTTP request of the following:

	GET /%s%s%s HTTP/1.0


	will cause program termination (the HTTP deamon  for  ntop  is  normally
	listening on port 3000).

	The vulnerability does allow remote  execution  of  arbitrary  commands,
	and if concerned, an appropriate fix should be quickly applied.



	fix available ??

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH