Signature Detail

APP: Ntop Web Interface Format String Vulnerability

This signature detects attempts to exploit a known vulnerability against Ntop, an application for displaying network usage (similar to the common UNIX command "top"). When the Web interface is enabled (tcp/3000), attackers can send a maliciously crafted string to crash the ntop daemon and execute arbitrary commands.

Extended Description

ntop is a tool designed to give an overview of network performance and usage, similar to the Unix top command. ntop was designed for Linux, BSD and Unix based systems, although it has also been ported to Windows. A vulnerability has been reported in some versions of ntop. User supplied data is used in an unsafe manner in printf and syslog calls, leading to a format string vulnerability. Exploitation of this vulnerability may result in the execution of arbitrary code. If ntop is executed with the -w flag, it may be possible to remotely exploit this vulnerability through a malicious HTTP request. It was also reported that this condition was produced using Netscape with the following web request: http://target:port/`ls` This occurred because Netscape was URL encoding the request, which caused the request to be interpreted as a format string by NTop. For example, `ls` is converted to %60ls%60. Other versions of ntop may share this vulnerability. This has not been confirmed.

Affected Products

• Luca Deri ntop 2.0.0

References

• BugTraq: 4225
• CVE: CVE-2002-0412
• URL: http://www.securitytracker.com/alerts/2002/Mar/1003729.html