Bug 23274 - Possible buffer overflow in http interface.
Summary: Possible buffer overflow in http interface.
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Powertools
Classification: Retired
Component: ntop
Version: 7.0
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Than Ngo
QA Contact:
URL:
Whiteboard: Florence Gold
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-01-04 08:27 UTC by Need Real Name
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2001-02-09 18:49:35 UTC
Embargoed:


Attachments (Terms of Use)

Description Need Real Name 2001-01-04 08:27:28 UTC
ntop seem to be a very badly written program, lots of buffers are allocated
of random lengths
and then used as return buffers for other functions (where the numbers are
duplicated,
made smaller, but never gotten via a constant declared somewhere else).

I've just taken a quick look at http.c (to fix the nonworking admin
URLs)...

There is a couple of buffer overflows in http.c:
handleHTTPrequest calls readHTTPheader with a stack allocated 64 character
long buffer called pw. readHTTPheader reads up to 255 bytes from the
network and if the first 21 characters are "Authorization: Basic ", the
rest of the line is copied to pw. Any characters except NUL, CR and LF are
allowed, so most shellcodes would work. If this is exploitable or not, I
don't know (it depends on the compiler used to compile it and how it lays
out the stack).

doAddUser in admin.c is called with a value that is the number of bytes a
POST request is made of. It is gotten from a atoi() call in readHTTPheader
(in http.c) with no checks for
its length. In doAddUser a network socket read is made for that number of
characters and
they are stored in a stackallocated 256 character long buffer. doAddURL is
almost a copy of doAddUser and can be used in the same way. Both functions
seem exploitable to me.

Comment 1 Glen Foster 2001-02-09 18:49:31 UTC
We (Red Hat) should really try to resolve this before next release.

Comment 2 Ngo Than 2001-02-12 14:29:49 UTC
It's fixed in ntop-1.3.2-4. You will find it in the next rawhide release.


Note You need to log in before you can comment on or make changes to this bug.