ntop seem to be a very badly written program, lots of buffers are allocated
of random lengths
and then used as return buffers for other functions (where the numbers are
made smaller, but never gotten via a constant declared somewhere else).
I've just taken a quick look at http.c (to fix the nonworking admin
There is a couple of buffer overflows in http.c:
handleHTTPrequest calls readHTTPheader with a stack allocated 64 character
long buffer called pw. readHTTPheader reads up to 255 bytes from the
network and if the first 21 characters are "Authorization: Basic ", the
rest of the line is copied to pw. Any characters except NUL, CR and LF are
allowed, so most shellcodes would work. If this is exploitable or not, I
don't know (it depends on the compiler used to compile it and how it lays
out the stack).
doAddUser in admin.c is called with a value that is the number of bytes a
POST request is made of. It is gotten from a atoi() call in readHTTPheader
(in http.c) with no checks for
its length. In doAddUser a network socket read is made for that number of
they are stored in a stackallocated 256 character long buffer. doAddURL is
almost a copy of doAddUser and can be used in the same way. Both functions
seem exploitable to me.
We (Red Hat) should really try to resolve this before next release.
It's fixed in ntop-1.3.2-4. You will find it in the next rawhide release.