Bug 23274 - Possible buffer overflow in http interface.
Possible buffer overflow in http interface.
Status: CLOSED RAWHIDE
Product: Red Hat Powertools
Classification: Retired
Component: ntop (Show other bugs)
7.0
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Ngo Than
Florence Gold
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-01-04 03:27 EST by Need Real Name
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-02-09 13:49:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2001-01-04 03:27:28 EST
ntop seem to be a very badly written program, lots of buffers are allocated
of random lengths
and then used as return buffers for other functions (where the numbers are
duplicated,
made smaller, but never gotten via a constant declared somewhere else).

I've just taken a quick look at http.c (to fix the nonworking admin
URLs)...

There is a couple of buffer overflows in http.c:
handleHTTPrequest calls readHTTPheader with a stack allocated 64 character
long buffer called pw. readHTTPheader reads up to 255 bytes from the
network and if the first 21 characters are "Authorization: Basic ", the
rest of the line is copied to pw. Any characters except NUL, CR and LF are
allowed, so most shellcodes would work. If this is exploitable or not, I
don't know (it depends on the compiler used to compile it and how it lays
out the stack).

doAddUser in admin.c is called with a value that is the number of bytes a
POST request is made of. It is gotten from a atoi() call in readHTTPheader
(in http.c) with no checks for
its length. In doAddUser a network socket read is made for that number of
characters and
they are stored in a stackallocated 256 character long buffer. doAddURL is
almost a copy of doAddUser and can be used in the same way. Both functions
seem exploitable to me.
Comment 1 Glen Foster 2001-02-09 13:49:31 EST
We (Red Hat) should really try to resolve this before next release.
Comment 2 Ngo Than 2001-02-12 09:29:49 EST
It's fixed in ntop-1.3.2-4. You will find it in the next rawhide release.

Note You need to log in before you can comment on or make changes to this bug.