-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:36 Security Advisory FreeBSD, Inc. Topic: ntop port allows remote and minor local compromise Category: ports Module: ntop Announced: 2000-08-14 Credits: Discovered during internal auditing Affects: Ports collection prior to the correction date. Corrected: 2000-08-12 (However see below) Vendor status: Contacted FreeBSD only: NO I. Background ntop is a utility for monitoring and summarizing network usage, from the command-line or remotely via HTTP. II. Problem Description The ntop software is written in a very insecure style, with many potentially exploitable buffer overflows (including several demonstrated ones) which could in certain conditions allow the local or remote user to execute arbitrary code on the local system with increased privileges. By default the ntop port is installed setuid root and only executable by root and members of the 'wheel' group. The 'wheel' group is normally only populated by users who also have root access, but this is not necessarily the case (the user must know the root password to increase his or her privileges). ntop allows a member of the wheel group to obtain root privileges directly through a local exploit. If invoked in 'web' mode (ntop -w) then any remote user who can connect to the ntop server port (which is determined by local configuration) can execute arbitrary code on the server as the user running the ntop process, regardless of whether or not they can authenticate to the ntop server by providing a valid username and password. This will not necessarily yield root privileges unless ntop -w is executed as root since by the time it services network connections the program has dropped privileges, although it retains the ability to view all network traffic on the sampled network interface (instead of just the connection summaries which ntop normally presents). However, since ntop is not executable by unprivileged users, it is likely that the majority of installations using 'ntop -w' are doing so as root, in which case full system compromise is directly possible. The ntop port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5 and 4.1 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local users who are members of the wheel group can obtain root privileges without having to pass through the normal system security mechanisms (i.e. entering the root password). If ntop is run in "web" mode (ntop -w) then remote users who can connect to the ntop server port can also execute arbitrary code on the server as the user running ntop -w (usually root). If you have not chosen to install the ntop port/package, then your system is not vulnerable to this problem. IV. Workaround 1) Remove the setuid bit from the ntop binary so that only the superuser may execute it. Depending on local policy this vulnerability may not present significant risk. 2) Avoid using ntop -w. If ntop -w is required, consider imposing access controls to limit access to the ntop server port (e.g. using a perimeter firewall, or ipfw(8) or ipf(8) on the local machine). Note that specifying a username/password access list within the ntop configuration file is insufficient, as noted above. Users who pass the access restrictions can still gain privileges as described above. V. Solution Due to the lack of attention to security in the ntop port no simple fix is possible: for example, the local root overflow can easily be fixed, but since ntop holds a privileged network socket a member of the wheel group could still obtain direct read access to all network traffic by exploiting other vulnerabilities in the program, which remains a technical security violation. The FreeBSD port has been changed to disable '-w' mode and remove the setuid bit, so that the command is only available locally to the superuser. Full functionality will be restored once the ntop developers have addressed these security concerns and provided an adequate fix - this advisory will be reissued at that time. To upgrade your ntop port/package, perform one of the following: 1) Upgrade your entire ports collection and rebuild the ntop port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/ntop-1.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/ntop-1.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/ntop-1.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/ntop-1.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/ntop-1.1.tgz NOTE: It may be several days before updated packages are available. Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) download a new port skeleton for the ntop port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOZh1m1UuHi5z0oilAQFcIgQArlP0hzT+scsGxjI7wTWXh5fgm5E+CFh0 EfeIvYgGCzsCCCAS0nm3vo+a1IUxloJdk27K2oO4aCjTLy+gLe/vnW28gWn9dzle nIyUDFudMpsx/WpO4F4UkMPTX+w0fiWpNvY2KddjwOeBn2xhRJik9ZVTMpc7zTe6 +2DGgV9jAnM= =9UuJ -----END PGP SIGNATURE-----