[prev in list] [next in list] [prev in thread] [next in thread]
List: ntop-dev
Subject: [Ntop-dev] re: gobbles ntop alert
From: "Burton M. Strauss III" <BStrauss3 () attbi ! com>
Date: 2002-04-12 15:28:06
Message-ID: JIEPJGFPFMFIGBNCPKGGCEIDCFAA.BStrauss3 () attbi ! com
[Download RAW message or body]
(Resend to ntop lists.
Note that because of the mail list filters I've seen returned messages from,
I have edited "Gobbles" text to remove certain 4 letter words. I did not do
this originally - although I know those words, I don't use them in public
email - but believed (because of the tone of the original message) that it
was important to prevent an accusation of "changing what I said". If you
attempt to verify the PGP signature, it will now fail. s'be'it... the
original, unchanged and verifiable message can be found at
http://online.securityfocus.com/archive/1/267053
This resend is because I wanted to be sure that the message reaches all
ntop/ntop-dev subscribers.
I'm less concerned about Buqtraq et al - those mail list subscribers who
filtered the reply wouldn't have received the original. I know this went
out to Bugtraq and directly to the individuals, as I have seen it and
received a less than printable personal response from Gobbles.
For the record, I don't care who found it first, but rather wanted it on
record that the hole has been and was closed as soon as ntop became aware of
it (That is the IMPORTANT thing - while it may be impossible to create bug
free code - responsible developers fix critical security problems as soon as
they are made aware of them (and it's off topic, but I believe it's not time
to release, but time to accurate, tested release that's important).
I also wanted to be on the records regarding certain OTHER matters...
)
This problem was been reported on the ntop mailing list on 2/28/2002
(http://listmanager.unipi.it/pipermail/ntop-dev/2002-February/000489.html)
and immediately patched...
It was reported on bugtraq on 3/5/2002 by hologram [holo@brained.org]
(http://online.securityfocus.com/archive/1/259642). At the time
(http://online.securityfocus.com/archive/1/259723), I said
"Although this bug may allow for arbitrarily code execution, the risk is
limited if the user follows good practices. Still, an upgrade to snapshot
versions on/after 01Mar2002 is recommended to all ntop users.
ntop requires root privileges at startup in order to place the network
interface into promiscuous mode. ntop provides the -u <username> parameter
to allow ntop to run as an unprivileged user, as soon as possible after
execution begins. This occurs BEFORE the web server is started. If the
user continues to run as root, a WARNING message is displayed.
A pending patch will further tighten down the security screen on requested
URLs."
The patched version is in ntop snapshots (available at
http://snapshot.ntop.org) beginning with ntop-02-03-01.tgz (01Mar2002) and
all subsequent versions.
ntop 2.1, due to be released soon, will (of course) include the fix for this
problem (and many others, not security related). The URLsecurity patch has
been included, and the WARNING message been increased to an ERROR. Unless
the user EXPLICITY adds the -u root parameter, ntop will not run.
<soapbox>
Anyway as to your supposed exploit... let's display THREE lines of code:
#ifdef DEBUG
traceEvent(TRACE_INFO, "User='%s' - Pw='%s [%s]'\n", user, pw,
data_data.dptr);
#endif
Makes a little difference, eh?
In addition, this routine is part of void doAddUser(), which is invoked from
the ntop web server. The ntop web server is started after ntop has given up
it's root privileges and assumed the given (-u parameter) user id's
privileges. If that user is properly defined to have read/write access only
to ntop's files, then the risks are minimal.
</soapbox>
This is not to say that ALL uses of traceEvent() occur after privileges are
dropped, that's why the fix from Peter Suschlik was IMMEDIATELY incorporated
into ntop!
<soapbox>
As to the issue of "BufferOverflow()":
The usual practice in poorly coded software seems to be not to check the
return code from functions such as printf(), sprintf(), snprintf().
Instead, ntop uses snprintf() and checks the return code and generates a
debugging message to allow us to further improve the code. snprintf() will
not overflow the buffer. In addition, the size of every buffer ntop uses
has been adjusted to be sufficiently large to handle the data - the test is
merely a belt & suspenders test.
</soapbox>
However - OBVIOUSLY - if you find a situation where user generated data can
cause an overflow in open code (vs. debug), we will take all necessary steps
to protect the application. Please send this in confidence to Luca at his
published address. A title such as "Security hole in ntop" is enough to get
his attention <grin>.
Can ntop be improved? Certainly!
The developers are always interested in further improving ntop. If you have
any other issues, corrections or suggestions, please don't hesitate to send
them in. As it says in the ntop web server itself and on
http://www.ntop.org:
"ntop's author strongly believes in open source software and encourages
everyone to modify, improve and extend ntop in the interest of the whole
Internet community according to the enclosed license (see COPYING).
Problems, bugs, questions, desirable enhancements, source code
contributions, etc., should be sent to the mailing list."
Unfortunately, the mailing list has been closed due to Spam). The contact
address remains ntop@ntop.org (information about the mailing lists is at
http://www.ntop.org/needHelp.html).
One final point - unfortunately, the text you are quoting about ntop is for
the 1.3 version and has not yet been updated for 2.0 - the major difference
is that intop has been marginalized in favor of the much richer web based
interface.
Thanks!
-----Burton
-----Original Message-----
From: gobbles@hushmail.com [mailto:gobbles@hushmail.com]
Sent: Thursday, April 11, 2002 8:42 AM
To: bugtraq@securityfocus.com; vulnwatch@vulnwatch.org;
vuln-dev@securityfocus.com; bugs@securitytracker.com
Subject: ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT
ALERT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear World,
Below is copy paste of GOBBLES advisory for NTOP. NTOP available from
www.ntop.org. This serious remote root bug in logging mechanism. Time for
alert and disclosure is now.
Website with other advisories at http://www.bugtraq.org. It look like ****
because on free host. GOBBLES poor researcher who not out for the big
dollar, and nothing that can be done about this at this time.
The question:
"Freedom vs. Security: who will win?"
The answer:
GOBBLES. It time for full disclosure.
All bets off.
GOBBLES SECURITY ADVISORY #31
Preauthentication Remote Root Hole in NTOP
Forward:
GOBBLES is afraid that zen-parse have found a copy of private GOBBLES
exploit for this vulnerability and will try to contact vendor in sneaky
fashion to pretend he found bug, without issuing typical conditional
advisory full of "if this present, and this present, and the moon is full,
two month later you get uid(uucp) on default install of Redhat Linux 1.1"
for fame advisory, which seem to be typical practice for this shady
character, thus forcing GOBBLES to quick release of advisory with no time to
contact vendor. Though GOBBLES not to offer apologies to anyone this might
hurt, because at this point GOBBLES not really give a **** about things.
No more "I found exploit in wild, must contact developer like good ethical
whitehat loser." This is not actual ethical action. Proper credit must go
to proper researcher. This now race condition.
GOBBLES to come out victorious.
3APAPA, GOBBLES check your silly website. Do not try to claim you find this
20 years ago and say, "GOBBLES, you still behind the leaders." GOBBLES is
the leader. There no competition here, especially from you. . .
Vendor Website:
http://www.ntop.org
Threat Level:
"So high, that Securityfocus will stop blocking our submissions and allow it
on their lists... at least, we hope!"
Description of Software:
hehe, GOBBLES flex he wrists for copy paste and show the eager penetrator
the following:
(p1 of 2)
What's ntop?
ntop is a Unix tool that shows the network usage, similar to what the
popular top Unix command does. ntop is based on libpcap and it has been
written in a portable way in order to virtually run on every Unix
platform and on Win32 as well. I have developed libpcap for Win32 (port of
libpcap to Win32) in order to have a single ntop source tree.
ntop comes with two applications: the 'classical' ntop that sports an
embedded web server, and intop (interactive ntop) is basically a network
shell based on the ntop engine.
intop provides a powerful and flexible interface to the ntop packet
sniffer. Since ntop has grown so much in functionality and it cannot be
simply considered a network-brower, the problem of capturinag and showing
network usage has been split. As of version 1.3 the ntop engine captures
packets, performs traffic analysis and information storage. intop
implements a bare, command line based interface, with an apparently
spartan look and feel, but a lot of functionality already implemented,
and others planned for future releases.
[intop1.gif]
[intop2.gif]
Users can use a a web browser (e.g. netscape) to navigate through
ntop (that acts as a web server) traffic information and get a dump of the
network status. In the latter case, ntop can be seen as a simple RMON-like
agent with an embedded web interface.
[ntop1s.gif]
[ntop2s.gif]
What can ntop do for me?
* Sort network traffic according to many protocols
* Show network traffic sorted according to various criteria
* Display traffic statistics
* Show IP traffic distribution among the various protocols
* Analyse IP traffic and sort it according to the source/destination
* Display IP Traffic Subnet matrix (who's talking to who?)
* Report IP protocol usage sorted by protocol type
Platforms
* Unix
* Win32
Media
* Loopback
* Ethernet
* Token Ring
* PPP
* Raw IP
* FDDI
IP Protocols Fully User Configurable
Additional
Features
* Embedded HTTP server
* Network Flows
* Local Traffic Analysis
* Multithread
* Lightweight Network IDS (Intrusion Detection System)
* C++/Perl lightweight API for accessing ntop from remote
* Internet Domain Statistics
* CGI support
* Advanced 'per user' HTTP password protection with encrypted passwords
* Support for SQL database for storing persistent traffic information
* Remote hosts OS identification (via nmap)
* HTTPS (Secure HTTP via OpenSSL)
* libwrap support
* Virtual/multiple network interfaces support
* Graphical Charts (via gdchart)
* Perl Interface
* WAP support
hehehehehehehe ;pppppppppppppppppp
Description of Problem(s):
Before GOBBLES give you information needed to get uid(0) everywhere, he want
to show you something about ntop which may be something used to discourage
you from using lame software.
GOBBLES@dev02:/home/hacking/ntop > grep -r "Buffer overflow" * -r |wc -l
513
Programmer know he own code is lame and have issues, but all he can do to
fix is tell you why he program sucks. . .
On to more pressing matter.
>From util.c, we look at content of function traceLevel().
...
switch(traceLevel) {
case 0:
syslog(LOG_ERR, buf);
break;
case 1:
syslog(LOG_WARNING, buf);
break;
case 2:
syslog(LOG_NOTICE, buf);
break;
default:
syslog(LOG_INFO, buf);
break;
}
#else
syslog(LOG_ERR, buf);
...
Uh oh, there some bugs! But now important question is, can GOBBLES control
buf with malicious GOBBLEScode to execute rm -rf /* on machine? Lets take a
look at how function traceLevel() called throughout rest of code.
Time to look at admin.c
traceEvent(TRACE_INFO, "User='%s' - Pw='%s [%s]'\n", user, pw,
data_data.dptr);
Uh oh. Option to log username and password sent to http for authentication
to ntop, when faulty syslog() and printf() statement to be called.
This remote and root. Beware.
Fix:
None at this time. Thank zen-parse for being leech.
Suggested Workaround:
Don't run software on network that can report buffer overflows in itself
from 513 different locations in the code.
Greets:
Our #1 fan, Dave Aitel. Dave, GOBBLES love you -- you get free GOBBLES
Security tshirt at Defcon.
Love to all (but especially to "bob"),
GOBBLES Security
http://www.bugtraq.org
GOBBLES@hushmail.com
ps: GOBBLES currently in communication with Sun Microsystems about lethal
remote bug in Solaris 6, 7, and 8. Sun has asked GOBBLES to wait one month
to release advisory so that service can be fixed. GOBBLES not sure if he
can wait this long, but will try very hard to not click "send" for while
longer on hole. If you run Solaris, likely you are vulnerable. But you
will have to wait.
No joke, this serious remote root hole. GOBBLES turned blind eye to
argument from hackers about danger of releasing vulnerabilities. GOBBLES
know that only hackers care about non-disclosure. Anyone else is likely to
be very boring. :))))
Hey, GOBBLES considered two ways of getting fame and recognition for he
world-class security group... 1. put up a message board on bugtraq.org with
gobbles group name branded all over it and let world know he have private
exploits... 2. submit ground-breaking research to the securityfocus mailing
lists.....
hey, the latter has a bigger audience ;)))))))
Hush provide the worlds most secure, easy to use online applications - which
solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/
Looking for a good deal on a domain name?
http://www.hush.com/partners/offers.cgi?id=domainpeople
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wlwEARECABwFAjy1k3cVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPsUEA
n0YCfbYbhyvYgWYIolGRX8FVIbCHAJ0dLAzuHGB7ruhgsINM38dBPJ2Opw==
=/r5w
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic