-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear World, Below is copy paste of GOBBLES advisory for NTOP. NTOP available from www.ntop.org. This serious remote root bug in logging mechanism. Time for alert and disclosure is now. Website with other advisories at http://www.bugtraq.org. It look like shit because on free host. GOBBLES poor researcher who not out for the big dollar, and nothing that can be done about this at this time. The question: "Freedom vs. Security: who will win?" The answer: GOBBLES. It time for full disclosure. All bets off. GOBBLES SECURITY ADVISORY #31 Preauthentication Remote Root Hole in NTOP Forward: GOBBLES is afraid that zen-parse have found a copy of private GOBBLES exploit for this vulnerability and will try to contact vendor in sneaky fashion to pretend he found bug, without issuing typical conditional advisory full of "if this present, and this present, and the moon is full, two month later you get uid(uucp) on default install of Redhat Linux 1.1" for fame advisory, which seem to be typical practice for this shady character, thus forcing GOBBLES to quick release of advisory with no time to contact vendor. Though GOBBLES not to offer apologies to anyone this might hurt, because at this point GOBBLES not really give a fuck about things. No more "I found exploit in wild, must contact developer like good ethical whitehat loser." This is not actual ethical action. Proper credit must go to proper researcher. This now race condition. GOBBLES to come out victorious. 3APAPA, GOBBLES check your silly website. Do not try to claim you find this 20 years ago and say, "GOBBLES, you still behind the leaders." GOBBLES is the leader. There no competition here, especially from you. . . Vendor Website: http://www.ntop.org Threat Level: "So high, that Securityfocus will stop blocking our submissions and allow it on their lists... at least, we hope!" Description of Software: hehe, GOBBLES flex he wrists for copy paste and show the eager penetrator the following: (p1 of 2) What's ntop? ntop is a Unix tool that shows the network usage, similar to what the popular top Unix command does. ntop is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform and on Win32 as well. I have developed libpcap for Win32 (port of libpcap to Win32) in order to have a single ntop source tree. ntop comes with two applications: the 'classical' ntop that sports an embedded web server, and intop (interactive ntop) is basically a network shell based on the ntop engine. intop provides a powerful and flexible interface to the ntop packet sniffer. Since ntop has grown so much in functionality and it cannot be simply considered a network-brower, the problem of capturinag and showing network usage has been split. As of version 1.3 the ntop engine captures packets, performs traffic analysis and information storage. intop implements a bare, command line based interface, with an apparently spartan look and feel, but a lot of functionality already implemented, and others planned for future releases. [intop1.gif] [intop2.gif] Users can use a a web browser (e.g. netscape) to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntop can be seen as a simple RMON-like agent with an embedded web interface. [ntop1s.gif] [ntop2s.gif] What can ntop do for me? * Sort network traffic according to many protocols * Show network traffic sorted according to various criteria * Display traffic statistics * Show IP traffic distribution among the various protocols * Analyse IP traffic and sort it according to the source/destination * Display IP Traffic Subnet matrix (who's talking to who?) * Report IP protocol usage sorted by protocol type Platforms * Unix * Win32 Media * Loopback * Ethernet * Token Ring * PPP * Raw IP * FDDI IP Protocols Fully User Configurable Additional Features * Embedded HTTP server * Network Flows * Local Traffic Analysis * Multithread * Lightweight Network IDS (Intrusion Detection System) * C++/Perl lightweight API for accessing ntop from remote * Internet Domain Statistics * CGI support * Advanced 'per user' HTTP password protection with encrypted passwords * Support for SQL database for storing persistent traffic information * Remote hosts OS identification (via nmap) * HTTPS (Secure HTTP via OpenSSL) * libwrap support * Virtual/multiple network interfaces support * Graphical Charts (via gdchart) * Perl Interface * WAP support hehehehehehehe ;pppppppppppppppppp Description of Problem(s): Before GOBBLES give you information needed to get uid(0) everywhere, he want to show you something about ntop which may be something used to discourage you from using lame software. GOBBLES@dev02:/home/hacking/ntop > grep -r "Buffer overflow" * -r |wc -l 513 Programmer know he own code is lame and have issues, but all he can do to fix is tell you why he program sucks. . . On to more pressing matter. From util.c, we look at content of function traceLevel(). ... switch(traceLevel) { case 0: syslog(LOG_ERR, buf); break; case 1: syslog(LOG_WARNING, buf); break; case 2: syslog(LOG_NOTICE, buf); break; default: syslog(LOG_INFO, buf); break; } #else syslog(LOG_ERR, buf); ... Uh oh, there some bugs! But now important question is, can GOBBLES control buf with malicious GOBBLEScode to execute rm -rf /* on machine? Lets take a look at how function traceLevel() called throughout rest of code. Time to look at admin.c traceEvent(TRACE_INFO, "User='%s' - Pw='%s [%s]'\n", user, pw, data_data.dptr); Uh oh. Option to log username and password sent to http for authentication to ntop, when faulty syslog() and printf() statement to be called. This remote and root. Beware. Fix: None at this time. Thank zen-parse for being leech. Suggested Workaround: Don't run software on network that can report buffer overflows in itself from 513 different locations in the code. Greets: Our #1 fan, Dave Aitel. Dave, GOBBLES love you -- you get free GOBBLES Security tshirt at Defcon. Love to all (but especially to "bob"), GOBBLES Security http://www.bugtraq.org GOBBLESat_private ps: GOBBLES currently in communication with Sun Microsystems about lethal remote bug in Solaris 6, 7, and 8. Sun has asked GOBBLES to wait one month to release advisory so that service can be fixed. GOBBLES not sure if he can wait this long, but will try very hard to not click "send" for while longer on hole. If you run Solaris, likely you are vulnerable. But you will have to wait. No joke, this serious remote root hole. GOBBLES turned blind eye to argument from hackers about danger of releasing vulnerabilities. GOBBLES know that only hackers care about non-disclosure. Anyone else is likely to be very boring. :)))) Hey, GOBBLES considered two ways of getting fame and recognition for he world-class security group... 1. put up a message board on bugtraq.org with gobbles group name branded all over it and let world know he have private exploits... 2. submit ground-breaking research to the securityfocus mailing lists..... hey, the latter has a bigger audience ;))))))) Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wlwEARECABwFAjy1k3cVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPsUEA n0YCfbYbhyvYgWYIolGRX8FVIbCHAJ0dLAzuHGB7ruhgsINM38dBPJ2Opw== =/r5w -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Apr 11 2002 - 12:22:28 PDT