OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: hologram (holobrained.org)
Date: Mon Mar 04 2002 - 06:47:50 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

            h o l o g r a m | s e c u r i t y | a d v i s o r y
    _______________________________________________________________________

                           Advisory ID : H20020304
                              Software : ntop
                              Synopsis : Remotely exploitable format
                                         string vulnerability in ntop.
                                Vendor : Luca Deri <www.ntop.org>
                              Verified : Version 2.0
                                Author : hologram <holobrained.org>

    _______________________________________________________________________

    | Overview |-----------------------------------------------------------

    ntop is a UNIX tool that shows the network usage, similar to what the
    popular top UNIX command does on the system level. A format string
    vulnerability has been discovered on the programmatic level and
    is currently known to affect the UNIX version, however, the Windows
    port of the program remains untested. The vulnerability allows
    for remote arbitrary code execution.

    | Vulnerability |------------------------------------------------------

    The format string vulnerability lies within the traceEvent() function
    which is declared as:

    void traceEvent(int eventTraceLevel, char* file,
      int line, char * format, ...)

    in the file util.c. The third argument, as is apparent, is a format
    string to be later manipulated by the traceEvent() call.

    Further into the code, the following is made visible:

    ...

      va_list va_ap;
      va_start (va_ap, format);

    ...

        char buf[BUF_SIZE];

    ...

    #ifdef WIN32
          /* Windows lacks of vsnprintf */
          vsprintf(buf, format, va_ap);
    #else
          vsnprintf(buf, BUF_SIZE-1, format, va_ap);
    #endif

          if(!useSyslog) { // syslog() logging is not enabled
            printf(buf); // vulnerability

    ...

    #ifndef WIN32
          else { // syslog() logging is enabled
    #if 0
            switch(traceLevel) {
            case 0:
              syslog(LOG_ERR, buf); // vulnerability
              break;
            case 1:
              syslog(LOG_WARNING, buf); // vulnerability
              break;
            case 2:
              syslog(LOG_NOTICE, buf); // vulnerability
              break;
            default:
              syslog(LOG_INFO, buf); // vulnerability
              break;
            }
    #else
            syslog(LOG_ERR, buf);

    ...

    Obviously, a call such as syslog(LOG_ERR, buf) should be replaced
    with syslog(LOG_ERR, "%s", buf) to remove the insecurity.

    The bug can be exploited whether or not syslog() logging is enabled
    because of the erroneous printf(buf) call, as well.

    One of the simplest points of entry I have determined is if the -w
    option was specified when ntop was ran, which allows web access
    to the ntop information. A HTTP request of the following:

    GET /%s%s%s HTTP/1.0

    will cause program termination (the HTTP deamon for ntop is normally
    listening on port 3000).

    The vulnerability does allow remote execution of arbitrary commands,
    and if concerned, an appropriate fix should be quickly applied.

    -------------------------------| Copyright 2002. All rights reserved. |