ntop Server Vulnerability
Updated 3/5/02
CVE 2000-0705
CVE 2000-0706
CVE 2002-0412
Impact
A vulnerability in the ntop server allows read access to
any file on the system. Two other vulnerabilities could allow
an attacker to execute arbitrary commands.
Background
ntop
is a utility which provides information on network usage. It can be used
interactively, or it can run as a daemon on a selected
TCP port (3000 by default). If it is running as
a daemon, ntop can be used from
a remote web browser.
The Problems
CVE 2000-0705
When ntop runs as a daemon, it does
not validate pathnames supplied by the user. Therefore,
a user can view any file on the system by supplying
a pathname including the ../ sequence.
Arbitrary files can be viewed by supplying a pathname
relative to the ntop web root directory.
CVE 2000-0706
CAN 2002-0412
There is also a buffer overflow condition and a format
string problem (3/5/02)
in the ntop daemon.
Either of these two vulnerabilities could allow an attacker to execute arbitrary commands
at the privilege level of the user running ntop.
Resolutions
Upgrade to the latest snapshot
of ntop. Snapshots of ntop version
2.0.1 dated March 1, 2002 or later are fixed.
As a further precaution, do not run ntop
as a daemon if the web interface is not needed. To disable
daemon mode, remove the -w option from
ntop in the boot-up scripts. ntop
can still be used safely in interactive mode.
Where can I read more about this?
The file access vulnerability was posted to
Bugtraq. The buffer overflow was discussed in an advisory from
Debian.
The format string problem was reported in
Bugtraq.