[H20020304]: Remotely exploitable format string vulnerability in ntop
Date: Mon, 4 Mar 2002 07:46:18 -0500 (EST)
From: hologram <holo@brained.org>
To: bugtraq@securityfocus.com
Subject: [H20020304]: Remotely exploitable format string vulnerability in ntop
--0-1989750537-1015245978=:3145
Content-Type: TEXT/PLAIN; charset=US-ASCII
h o l o g r a m | s e c u r i t y | a d v i s o r y
_______________________________________________________________________
Advisory ID : H20020304
Software : ntop
Synopsis : Remotely exploitable format
string vulnerability in ntop.
Vendor : Luca Deri <www.ntop.org>
Verified : Version 2.0
Author : hologram <holo@brained.org>
_______________________________________________________________________
| Overview |-----------------------------------------------------------
ntop is a UNIX tool that shows the network usage, similar to what the
popular top UNIX command does on the system level. A format string
vulnerability has been discovered on the programmatic level and
is currently known to affect the UNIX version, however, the Windows
port of the program remains untested. The vulnerability allows
for remote arbitrary code execution.
| Vulnerability |------------------------------------------------------
The format string vulnerability lies within the traceEvent() function
which is declared as:
void traceEvent(int eventTraceLevel, char* file,
int line, char * format, ...)
in the file util.c. The third argument, as is apparent, is a format
string to be later manipulated by the traceEvent() call.
Further into the code, the following is made visible:
...
va_list va_ap;
va_start (va_ap, format);
...
char buf[BUF_SIZE];
...
#ifdef WIN32
/* Windows lacks of vsnprintf */
vsprintf(buf, format, va_ap);
#else
vsnprintf(buf, BUF_SIZE-1, format, va_ap);
#endif
if(!useSyslog) { // syslog() logging is not enabled
printf(buf); // vulnerability
...
#ifndef WIN32
else { // syslog() logging is enabled
#if 0
switch(traceLevel) {
case 0:
syslog(LOG_ERR, buf); // vulnerability
break;
case 1:
syslog(LOG_WARNING, buf); // vulnerability
break;
case 2:
syslog(LOG_NOTICE, buf); // vulnerability
break;
default:
syslog(LOG_INFO, buf); // vulnerability
break;
}
#else
syslog(LOG_ERR, buf);
...
Obviously, a call such as syslog(LOG_ERR, buf) should be replaced
with syslog(LOG_ERR, "%s", buf) to remove the insecurity.
The bug can be exploited whether or not syslog() logging is enabled
because of the erroneous printf(buf) call, as well.
One of the simplest points of entry I have determined is if the -w
option was specified when ntop was ran, which allows web access
to the ntop information. A HTTP request of the following:
GET /%s%s%s HTTP/1.0
will cause program termination (the HTTP deamon for ntop is normally
listening on port 3000).
The vulnerability does allow remote execution of arbitrary commands,
and if concerned, an appropriate fix should be quickly applied.
-------------------------------| Copyright 2002. All rights reserved. |
--0-1989750537-1015245978=:3145
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="H20020304.txt"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSO.4.33.0203040746180.3145@brained.org>
Content-Description:
Content-Disposition: attachment; filename="H20020304.txt"
DQ0KICAgICAgICBoIG8gbCBvIGcgciBhIG0gIHwgIHMgZSBjIHUgciBpIHQg
eSAgfCAgYSBkIHYgaSBzIG8gciB5DQ0KX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX18NDQoNDQoNDQogICAgICAgICAgICAgICAgICAgICAgIEFkdmlzb3J5
IElEIDogSDIwMDIwMzA0DQ0KICAgICAgICAgICAgICAgICAgICAgICAgICBT
b2Z0d2FyZSA6IG50b3ANDQogICAgICAgICAgICAgICAgICAgICAgICAgIFN5
bm9wc2lzIDogUmVtb3RlbHkgZXhwbG9pdGFibGUgZm9ybWF0DQ0KICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN0cmluZyB2dWxuZXJh
YmlsaXR5IGluIG50b3AuDQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAg
IFZlbmRvciA6IEx1Y2EgRGVyaSA8d3d3Lm50b3Aub3JnPg0NCiAgICAgICAg
ICAgICAgICAgICAgICAgICAgVmVyaWZpZWQgOiBWZXJzaW9uIDIuMA0NCiAg
ICAgICAgICAgICAgICAgICAgICAgICAgICBBdXRob3IgOiBob2xvZ3JhbSA8
aG9sb0BicmFpbmVkLm9yZz4NDQoNDQpfX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fXw0NCg0NCg0NCnwgT3ZlcnZpZXcgfC0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQ0KDQ0K
bnRvcCBpcyBhIFVOSVggdG9vbCB0aGF0IHNob3dzIHRoZSBuZXR3b3JrIHVz
YWdlLCBzaW1pbGFyIHRvIHdoYXQgdGhlDQ0KcG9wdWxhciB0b3AgVU5JWCBj
b21tYW5kIGRvZXMgb24gdGhlIHN5c3RlbSBsZXZlbC4gQSBmb3JtYXQgc3Ry
aW5nDQ0KdnVsbmVyYWJpbGl0eSBoYXMgYmVlbiBkaXNjb3ZlcmVkIG9uIHRo
ZSBwcm9ncmFtbWF0aWMgbGV2ZWwgYW5kDQ0KaXMgY3VycmVudGx5IGtub3du
IHRvIGFmZmVjdCB0aGUgVU5JWCB2ZXJzaW9uLCBob3dldmVyLCB0aGUgV2lu
ZG93cw0NCnBvcnQgb2YgdGhlIHByb2dyYW0gcmVtYWlucyB1bnRlc3RlZC4g
VGhlIHZ1bG5lcmFiaWxpdHkgYWxsb3dzDQ0KZm9yIHJlbW90ZSBhcmJpdHJh
cnkgY29kZSBleGVjdXRpb24uDQ0KDQ0KfCBWdWxuZXJhYmlsaXR5IHwtLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0NDQoNDQpUaGUgZm9ybWF0IHN0cmluZyB2dWxuZXJhYmlsaXR5IGxp
ZXMgd2l0aGluIHRoZSB0cmFjZUV2ZW50KCkgZnVuY3Rpb24NDQp3aGljaCBp
cyBkZWNsYXJlZCBhczoNDQoNDQp2b2lkIHRyYWNlRXZlbnQoaW50IGV2ZW50
VHJhY2VMZXZlbCwgY2hhciogZmlsZSwNDQogIGludCBsaW5lLCBjaGFyICog
Zm9ybWF0LCAuLi4pDQ0KDQ0KaW4gdGhlIGZpbGUgdXRpbC5jLiBUaGUgdGhp
cmQgYXJndW1lbnQsIGFzIGlzIGFwcGFyZW50LCBpcyBhIGZvcm1hdA0NCnN0
cmluZyB0byBiZSBsYXRlciBtYW5pcHVsYXRlZCBieSB0aGUgdHJhY2VFdmVu
dCgpIGNhbGwuDQ0KDQ0KRnVydGhlciBpbnRvIHRoZSBjb2RlLCB0aGUgZm9s
bG93aW5nIGlzIG1hZGUgdmlzaWJsZToNDQoNDQouLi4NDQoNDQogIHZhX2xp
c3QgdmFfYXA7DQ0KICB2YV9zdGFydCAodmFfYXAsIGZvcm1hdCk7DQ0KDQ0K
Li4uDQ0KDQ0KICAgIGNoYXIgYnVmW0JVRl9TSVpFXTsNDQoNDQouLi4NDQoN
DQojaWZkZWYgV0lOMzINDQogICAgICAvKiBXaW5kb3dzIGxhY2tzIG9mIHZz
bnByaW50ZiAqLw0NCiAgICAgIHZzcHJpbnRmKGJ1ZiwgZm9ybWF0LCB2YV9h
cCk7DQ0KI2Vsc2UNDQogICAgICB2c25wcmludGYoYnVmLCBCVUZfU0laRS0x
LCBmb3JtYXQsIHZhX2FwKTsNDQojZW5kaWYNDQoNDQogICAgICBpZighdXNl
U3lzbG9nKSB7ICAvLyBzeXNsb2coKSBsb2dnaW5nIGlzIG5vdCBlbmFibGVk
DQ0KCXByaW50ZihidWYpOyAgLy8gdnVsbmVyYWJpbGl0eQ0NCg0NCi4uLg0N
Cg0NCiNpZm5kZWYgV0lOMzINDQogICAgICBlbHNlIHsgIC8vIHN5c2xvZygp
IGxvZ2dpbmcgaXMgZW5hYmxlZA0NCiNpZiAwDQ0KCXN3aXRjaCh0cmFjZUxl
dmVsKSB7DQ0KCWNhc2UgMDoNDQoJICBzeXNsb2coTE9HX0VSUiwgYnVmKTsg
IC8vIHZ1bG5lcmFiaWxpdHkNDQoJICBicmVhazsNDQoJY2FzZSAxOg0NCgkg
IHN5c2xvZyhMT0dfV0FSTklORywgYnVmKTsgIC8vIHZ1bG5lcmFiaWxpdHkN
DQoJICBicmVhazsNDQoJY2FzZSAyOg0NCgkgIHN5c2xvZyhMT0dfTk9USUNF
LCBidWYpOyAgLy8gdnVsbmVyYWJpbGl0eQ0NCgkgIGJyZWFrOw0NCglkZWZh
dWx0Og0NCgkgIHN5c2xvZyhMT0dfSU5GTywgYnVmKTsgICAvLyB2dWxuZXJh
YmlsaXR5DQ0KCSAgYnJlYWs7DQ0KCX0NDQojZWxzZQ0NCglzeXNsb2coTE9H
X0VSUiwgYnVmKTsgDQ0KDQ0KLi4uDQ0KDQ0KT2J2aW91c2x5LCBhIGNhbGwg
c3VjaCBhcyBzeXNsb2coTE9HX0VSUiwgYnVmKSBzaG91bGQgYmUgcmVwbGFj
ZWQNDQp3aXRoIHN5c2xvZyhMT0dfRVJSLCAiJXMiLCBidWYpIHRvIHJlbW92
ZSB0aGUgaW5zZWN1cml0eS4NDQoNDQpUaGUgYnVnIGNhbiBiZSBleHBsb2l0
ZWQgd2hldGhlciBvciBub3Qgc3lzbG9nKCkgbG9nZ2luZyBpcyBlbmFibGVk
DQ0KYmVjYXVzZSBvZiB0aGUgZXJyb25lb3VzIHByaW50ZihidWYpIGNhbGws
IGFzIHdlbGwuDQ0KDQ0KT25lIG9mIHRoZSBzaW1wbGVzdCBwb2ludHMgb2Yg
ZW50cnkgSSBoYXZlIGRldGVybWluZWQgaXMgaWYgdGhlIC13DQ0Kb3B0aW9u
IHdhcyBzcGVjaWZpZWQgd2hlbiBudG9wIHdhcyByYW4sIHdoaWNoIGFsbG93
cyB3ZWIgYWNjZXNzDQ0KdG8gdGhlIG50b3AgaW5mb3JtYXRpb24uIEEgSFRU
UCByZXF1ZXN0IG9mIHRoZSBmb2xsb3dpbmc6DQ0KDQ0KR0VUIC8lcyVzJXMg
SFRUUC8xLjANDQoNDQp3aWxsIGNhdXNlIHByb2dyYW0gdGVybWluYXRpb24g
KHRoZSBIVFRQIGRlYW1vbiBmb3IgbnRvcCBpcyBub3JtYWxseQ0NCmxpc3Rl
bmluZyBvbiBwb3J0IDMwMDApLg0NCg0NClRoZSB2dWxuZXJhYmlsaXR5IGRv
ZXMgYWxsb3cgcmVtb3RlIGV4ZWN1dGlvbiBvZiBhcmJpdHJhcnkgY29tbWFu
ZHMsDQ0KYW5kIGlmIGNvbmNlcm5lZCwgYW4gYXBwcm9wcmlhdGUgZml4IHNo
b3VsZCBiZSBxdWlja2x5IGFwcGxpZWQuDQ0KDQ0KDQ0KLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLXwgQ29weXJpZ2h0IDIwMDIuIEFsbCByaWdo
dHMgcmVzZXJ2ZWQuIHwNDQoNDQo=
--0-1989750537-1015245978=:3145--
