Bug 23274

Summary: Possible buffer overflow in http interface.
Product: [Retired] Red Hat Powertools Reporter: Need Real Name <sa>
Component: ntopAssignee: Than Ngo <than>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 7.0CC: dr
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: Florence Gold
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-02-09 18:49:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2001-01-04 08:27:28 UTC 
ntop seem to be a very badly written program, lots of buffers are allocated
of random lengths
and then used as return buffers for other functions (where the numbers are
duplicated,
made smaller, but never gotten via a constant declared somewhere else).

I've just taken a quick look at http.c (to fix the nonworking admin
URLs)...

There is a couple of buffer overflows in http.c:
handleHTTPrequest calls readHTTPheader with a stack allocated 64 character
long buffer called pw. readHTTPheader reads up to 255 bytes from the
network and if the first 21 characters are "Authorization: Basic ", the
rest of the line is copied to pw. Any characters except NUL, CR and LF are
allowed, so most shellcodes would work. If this is exploitable or not, I
don't know (it depends on the compiler used to compile it and how it lays
out the stack).

doAddUser in admin.c is called with a value that is the number of bytes a
POST request is made of. It is gotten from a atoi() call in readHTTPheader
(in http.c) with no checks for
its length. In doAddUser a network socket read is made for that number of
characters and
they are stored in a stackallocated 256 character long buffer. doAddURL is
almost a copy of doAddUser and can be used in the same way. Both functions
seem exploitable to me.
Comment 1 Glen Foster 2001-02-09 18:49:31 UTC 
We (Red Hat) should really try to resolve this before next release.
Comment 2 Ngo Than 2001-02-12 14:29:49 UTC 
It's fixed in ntop-1.3.2-4. You will find it in the next rawhide release.