Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: lnx5164.htm

ntop remote format string overflow in web interface



5th Mar 2002 [SBWID-5164]
COMMAND

	ntop remote format string overflow in web interface

SYSTEMS AFFECTED

	ntop 2.0, others ??

PROBLEM

	hologram <holo@brained.org> posted :
	

	--snipp--
	

	The format string vulnerability lies within  the  traceEvent()  function
	which is declared as:
	 

	void traceEvent(int eventTraceLevel, char* file,

	  int line, char * format, ...)

	

	in the file util.c. The third argument, as  is  apparent,  is  a  format
	string to be later manipulated by the traceEvent() call.
	

	Further into the code, the following is made visible:
	 

	...

	

	  va_list va_ap;

	  va_start (va_ap, format);

	

	...

	

	    char buf[BUF_SIZE];

	

	...

	

	#ifdef WIN32

	      /* Windows lacks of vsnprintf */

	      vsprintf(buf, format, va_ap);

	#else

	      vsnprintf(buf, BUF_SIZE-1, format, va_ap);

	#endif

	

	      if(!useSyslog) {  // syslog() logging is not enabled

		printf(buf);  // vulnerability

	

	...

	

	#ifndef WIN32

	      else {  // syslog() logging is enabled

	#if 0

		switch(traceLevel) {

		case 0:

		  syslog(LOG_ERR, buf);  // vulnerability

		  break;

		case 1:

		  syslog(LOG_WARNING, buf);  // vulnerability

		  break;

		case 2:

		  syslog(LOG_NOTICE, buf);  // vulnerability

		  break;

		default:

		  syslog(LOG_INFO, buf);   // vulnerability

		  break;

		}

	#else

		syslog(LOG_ERR, buf);

	

	...

	

	Obviously, a call such as syslog(LOG_ERR, buf) should be  replaced  with
	syslog(LOG_ERR, \"%s\", buf) to remove the insecurity.
	

	The bug can be exploited whether or  not  syslog()  logging  is  enabled
	because of the erroneous printf(buf) call, as well.
	

	One of the simplest points of entry I  have  determined  is  if  the  -w
	option was specified when ntop was ran, which allows web access  to  the
	ntop information. A HTTP request of the following:
	 

	GET /%s%s%s HTTP/1.0

	

	will cause program termination (the HTTP deamon  for  ntop  is  normally
	listening on port 3000).
	

	The vulnerability does allow remote  execution  of  arbitrary  commands,
	and if concerned, an appropriate fix should be quickly applied.
	

	--snapp--

SOLUTION

	fix available ??


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH