'[Ntop-dev] RE: segfault in ntop'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntop-dev
Subject:    [Ntop-dev] RE: segfault in ntop
From:       "Burton M. Strauss III" <Burton () ntopsupport ! com>
Date:       2002-04-19 14:01:10
Message-ID: JIEPJGFPFMFIGBNCPKGGIEPGCFAA.Burton () ntopsupport ! com
[Download RAW message or body]

(Resend - apparently this didn't get through the 1st time)

The current version of ntop (2.0.99) - 12April2002 snapshot - does not
crash.  Tested under 4.79 and 6.2.2.  Also IE 5.5.

The patch in traceEvent to fix the previously reported security problem
(references below) also fixes this problem.  That version has been available
in ntop snapshots since 01Mar2002.

Snapshots and news are available at the ntop community support pages,
http://snapshot.ntop.org/.

ntop 2.1 (a new stable release) is being prepared for release.

-----Burton

Bugtraq references

Original traceEvent posting:
http://online.securityfocus.com/archive/1/259642
Reply: http://online.securityfocus.com/archive/1/259723

Second traceEvent posting: http://online.securityfocus.com/archive/1/267053
Reply: http://online.securityfocus.com/archive/1/267180

==============================

What appears to be the difference between NS4.79/IE5.5 and NS6.2.2 is that
Netscape 6.2.2 converts the url from

http://192.168.xx.yy:pppp/`ls` to
http://192.168.xx.yy:pppp/%60ls%60

ntop 2.0.99 (12Apr2002 snapshot) returns

"Unable to generate the page requested [%60]"

Netscape 4.79 reports "The document contains no data. Try again later or
contact the server's administrator."

IE 5.50 gives a standard internally generated error page.

Note that under both RFC 1945 - http 1.0
(http://www.w3.org/Protocols/rfc1945/rfc1945) and RFC 2068 - http 1.1
(http://www.w3.org/Protocols/rfc2068/rfc2068), the character ` appears to be
legal - it falls into the "national" category.

The results from IE 5.5 and NS 4.79 for ntop 2.0 are the same as above.
With the conversion from ` -> %60, NS 6.2.2 does in fact crash ntop 2.0 --
IF the -L (use syslog) flag is not specified...

Wait please: ntop is coming up...
17/Apr/2002 18:18:59 Initializing IP services...
17/Apr/2002 18:18:59 Initializing SSL...
17/Apr/2002 18:18:59 SSL initialized successfully
17/Apr/2002 18:18:59 Initializing GDBM...
17/Apr/2002 18:18:59 Initializing network devices...
17/Apr/2002 18:18:59 ntop v.2.0.0 MT (SSL) [i686-pc-linux-gnu] (02/28/02
06:47:29 AM build)
17/Apr/2002 18:18:59 Listening on [eth0,eth1]
17/Apr/2002 18:18:59 Copyright 1998-2001 by Luca Deri <deri@ntop.org>
17/Apr/2002 18:18:59 Get the freshest ntop from http://www.ntop.org/
17/Apr/2002 18:18:59 Initializing...
...
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 8201 (LWP 18072)]
__wcslen (s=0x3ff) at wcslen.c:30
30      wcslen.c: No such file or directory.
        in wcslen.c
(gdb) info stack
#0  __wcslen (s=0x3ff) at wcslen.c:30
#1  0x4051a344 in __wcsrtombs (dst=0x0, src=0x44630ca8, len=0,
ps=0x44630cac) at wcsrtombs.c:67
#2  0x404e3957 in _IO_vfprintf (s=0x405c06e0,
    format=0x4463124c "     12. Requested URL = '/%60ls%60', length = -1\n",
ap=0x44631204)
    at vfprintf.c:1524
#3  0x404ebe0c in printf (format=0x4463124c "     12. Requested URL =
'/%60ls%60', length = -1\n")
    at printf.c:33
#4  0x40210466 in traceEvent (eventTraceLevel=3, file=0x4005838b "http.c",
line=1809,
    format=0x400580c0 "%7d. Requested URL = '%s', length = %d\n") at
util.c:2173
#5  0x40036c99 in handleHTTPrequest (from={s_addr = 53127360}) at
http.c:1809
#6  0x400530d1 in handleSingleWebConnection (fdmask=0x44631a0c) at
webInterface.c:1155
#7  0x40052fa7 in handleWebConnections (notUsed=0x0) at webInterface.c:1086
#8  0x40450c6f in pthread_start_thread (arg=0x44631be0) at manager.c:284
#9  0x40450d5f in pthread_start_thread_event (arg=0x44631be0) at
manager.c:308
(gdb)

With -L in the parameters, the error is properly caught and reported (albeit
incompletely) in the log:

Apr 17 18:49:49 tigger ntop[18115]:      10. Requested URL = '/`ls`', length
= -1
Apr 17 18:50:06 tigger ntop[18115]:      11. Requested URL = '/
Apr 17 18:50:06 tigger ntop[18115]: Found % : @ \r or \n in URL (
Apr 17 18:50:06 tigger ntop[18115]:      12. Requested URL = '/style.css',
length = -1





-----Original Message-----
From: JP [mailto:px@negative.zeroday.net]
Sent: Wednesday, April 17, 2002 12:13 PM
To: bugtraq@securityfocus.com
Subject: segfault in ntop


I'm sorry if this has already been discussed on here before, but I went
through the thread and saw nothing on it.

I was able to remotley segfault ntop v.2.0.0 using Netscape 6.1 by simply
specifying a command in the url location bar.  For example:

http://ntop.site.com:port/`ls`

That above command will cause ntop to segfault and core dump.  I tried a
few different commands, ls and su segfaulted ntop, whereas everything else
I tried gave a 403 error, but ntop stayed online.

Here's information about my ntop platform:

Mandrake Linux v8.1 kernel 2.4.8-26mdk
ntop v.2.0.0 MT [i686-pc-linux-gnu] (01/24/02 03:04:18 PM build)

I was able to segfault ntop from the following platforms:

Mandrake Linux v8.1 kernel 2.4.8-26mdk with Netscape v6.1
(Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2) Gecko/20010726
Netscape6/6.1)

Mandrake Linux v8.1 kernel 2.4.8-26mdk with Opera 5.0 for Linux - 20010510
Build 024 -[5]

Windows 2000 Server 5.00.2195 SP2 with Netscape v6.2.2
(Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1)
Gecko/20020314 Netscape6/6.2.2)

I was unable to duplicate this segfault with the following browsers:

Internet Explorer v6.0.2600.0000
Konqueror v2.2.1

I did not test any other platforms or browsers than the ones listed here.
I have notified ntop and haven't received a response yet.

Thanks,

jason


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic