APP: Ntop Web Interface Format String Vulnerability
This signature detects attempts to exploit a known vulnerability against Ntop, an application for displaying network usage (similar to the common UNIX command "top"). When the Web interface is enabled (tcp/3000), attackers can send a maliciously crafted string to crash the ntop daemon and execute arbitrary commands.
Extended Description
ntop is a tool designed to give an overview of network performance and usage, similar to the Unix top command. ntop was designed for Linux, BSD and Unix based systems, although it has also been ported to Windows. A vulnerability has been reported in some versions of ntop. User supplied data is used in an unsafe manner in printf and syslog calls, leading to a format string vulnerability. Exploitation of this vulnerability may result in the execution of arbitrary code. If ntop is executed with the -w flag, it may be possible to remotely exploit this vulnerability through a malicious HTTP request. It was also reported that this condition was produced using Netscape with the following web request: http://target:port/`ls` This occurred because Netscape was URL encoding the request, which caused the request to be interpreted as a format string by NTop. For example, `ls` is converted to %60ls%60. Other versions of ntop may share this vulnerability. This has not been confirmed.
Affected Products
Luca_deri ntop
References
BugTraq: 4225
CVE: CVE-2002-0412
URL: http://www.securitytracker.com/alerts/2002/Mar/1003729.html
Short Name
APP:NTOP-WEB-FS1
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
APP
Keywords
CVE-2002-0412 Format Interface Ntop String Vulnerability Web bid:4225
Release Date
04/22/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
Port
TCP/3000
False Positive
Unknown
Vendors
Luca_deri
CVSS Score
7.5