ntop -i Variable Format String Arbitrary Code Execution

2000-10-18T00:00:00
ID OSVDB:6512
Type osvdb
Reporter AirPlane(ksecurity@iland.co.kr)
Modified 2000-10-18T00:00:00

Description

Vulnerability Description

ntop contains a flaw that may allow a local user to elevate their privileges. The flaw is due to user input to the "-i" argument not being sanitized. An attacker can create a specially crafted request that will be passed to a formatted string incorrectly, allowing for arbitrary code execution.

Solution Description

Upgrade to version 2.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

ntop contains a flaw that may allow a local user to elevate their privileges. The flaw is due to user input to the "-i" argument not being sanitized. An attacker can create a specially crafted request that will be passed to a formatted string incorrectly, allowing for arbitrary code execution.

References:

Vendor Specific Advisory URL Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-10/0277.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-01/0470.html ISS X-Force ID: 6051 Bugtraq ID: 1840