ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT

[gobbles () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear World,
Below is copy paste of GOBBLES advisory for NTOP.  NTOP available from www.ntop.org.  This serious remote root bug in 
logging mechanism.  Time for alert and disclosure is now.

Website with other advisories at http://www.bugtraq.org.  It look like shit because on free host.  GOBBLES poor 
researcher who not out for the big dollar, and nothing that can be done about this at this time.

The question:
"Freedom vs. Security: who will win?"

The answer:
GOBBLES.  It time for full disclosure.

All bets off.

GOBBLES SECURITY ADVISORY #31
Preauthentication Remote Root Hole in NTOP

Forward:
GOBBLES is afraid that zen-parse have found a copy of private GOBBLES exploit for this vulnerability and will try to 
contact vendor in sneaky fashion to pretend he found bug, without issuing typical conditional advisory full of "if this 
present, and this present, and the moon is full, two month later you get uid(uucp) on default install of Redhat Linux 
1.1" for fame advisory, which seem to be typical practice for this shady character, thus forcing GOBBLES to quick 
release of advisory with no time to contact vendor.  Though GOBBLES not to offer apologies to anyone this might hurt, 
because at this point GOBBLES not really give a fuck about things.

No more "I found exploit in wild, must contact developer like good ethical whitehat loser."  This is not actual ethical 
action.  Proper credit must go to proper researcher.  This now race condition.

GOBBLES to come out victorious.

3APAPA, GOBBLES check your silly website.  Do not try to claim you find this 20 years ago and say, "GOBBLES, you still 
behind the leaders."  GOBBLES is the leader.  There no competition here,  especially from you. . .

Vendor Website:
http://www.ntop.org

Threat Level:
"So high, that Securityfocus will stop blocking our submissions and allow it on their lists...  at least, we hope!"

Description of Software:
hehe, GOBBLES flex he wrists for copy paste and show the eager penetrator the following:

                                                                                          (p1 of 2)

   What's ntop?

   ntop  is  a Unix tool that shows the network usage, similar to what the popular top Unix command does.  ntop  is 
based on libpcap and it has been written in a portable way in order to virtually run  on  every  Unix  platform and on 
Win32 as well. I have developed libpcap for Win32 (port of libpcap to Win32) in order to have a single ntop source tree.

   ntop  comes  with two applications: the 'classical' ntop that sports an embedded web server, and intop (interactive 
ntop) is basically a network shell based on the ntop engine.

   intop  provides  a  powerful  and  flexible interface to the ntop packet sniffer. Since ntop has grown  so much in 
functionality and it cannot be simply considered a network-brower, the problem of  capturinag  and  showing  network  
usage  has  been split. As of version 1.3 the ntop engine captures  packets,  performs  traffic analysis and 
information storage. intop implements a bare,    command  line  based  interface,  with  an  apparently  spartan  look  
and feel, but  a lot of functionality already implemented, and others planned for future releases.

                                             [intop1.gif]

                                             [intop2.gif]

   Users  can  use  a  a  web  browser (e.g. netscape) to navigate through ntop (that acts as a web server)  traffic  
information and get a dump of the network status. In the latter case, ntop can be seen as a simple RMON-like agent with 
an embedded web interface.

                                            [ntop1s.gif]

                                            [ntop2s.gif]

   What can ntop do for me?

     * Sort network traffic according to many protocols
     * Show network traffic sorted according to various criteria
     * Display traffic statistics
     * Show IP traffic distribution among the various protocols
     * Analyse IP traffic and sort it according to the source/destination
     * Display IP Traffic Subnet matrix (who's talking to who?)
     * Report IP protocol usage sorted by protocol type
                                   Platforms
     * Unix
     * Win32

   Media
     * Loopback
     * Ethernet
     * Token Ring
     * PPP
     * Raw IP
     * FDDI

                                    IP Protocols Fully User Configurable
   Additional
   Features
     * Embedded HTTP server
     * Network Flows
     * Local Traffic Analysis
     * Multithread
     * Lightweight Network IDS (Intrusion Detection System)
     * C++/Perl lightweight API for accessing ntop from remote
     * Internet Domain Statistics
     * CGI support
     * Advanced 'per user' HTTP password protection with encrypted passwords
     * Support for SQL database for storing persistent traffic information
     * Remote hosts OS identification (via nmap)
     * HTTPS (Secure HTTP via OpenSSL)
     * libwrap support
     * Virtual/multiple network interfaces support
     * Graphical Charts (via gdchart)
     * Perl Interface
     * WAP support

hehehehehehehe ;pppppppppppppppppp


Description of Problem(s):
Before GOBBLES give you information needed to get uid(0) everywhere, he want to show you something about ntop which may 
be something used to discourage you from using lame software.

GOBBLES@dev02:/home/hacking/ntop > grep -r "Buffer overflow" * -r |wc -l
    513

Programmer know he own code is lame and have issues, but all he can do to fix is tell you why he program sucks. . .

On to more pressing matter.

> From util.c, we look at content of function traceLevel().

...

        switch(traceLevel) {
        case 0:
          syslog(LOG_ERR, buf);
          break;
        case 1:
          syslog(LOG_WARNING, buf);
          break;
        case 2:
          syslog(LOG_NOTICE, buf);
          break;
        default:
          syslog(LOG_INFO, buf);
          break;
        }
#else
        syslog(LOG_ERR, buf);

...

Uh oh, there some bugs!  But now important question is, can GOBBLES control buf with malicious GOBBLEScode to execute 
rm -rf /* on machine?  Lets take a look at how function traceLevel() called throughout rest of code.

Time to look at admin.c

      traceEvent(TRACE_INFO, "User='%s' - Pw='%s [%s]'\n", user, pw, data_data.dptr);

Uh oh.  Option to log username and password sent to http for authentication to ntop, when faulty syslog() and printf() 
statement to be called.

This remote and root.  Beware.

Fix:
None at this time.  Thank zen-parse for being leech.

Suggested Workaround:
Don't run software on network that can report buffer overflows in itself from 513 different locations in the code.

Greets:
Our #1 fan, Dave Aitel.  Dave, GOBBLES love you -- you get free GOBBLES Security tshirt at Defcon.


Love to all (but especially to "bob"),
GOBBLES Security
http://www.bugtraq.org
GOBBLES () hushmail com


ps: GOBBLES currently in communication with Sun Microsystems about lethal remote bug in Solaris 6, 7, and 8.  Sun has 
asked GOBBLES to wait one month to release advisory so that service can be fixed.  GOBBLES not sure if he can wait this 
long, but will try very hard to not click "send" for while longer on hole.  If you run Solaris, likely you are 
vulnerable.  But you will have to wait.

No joke, this serious remote root hole.  GOBBLES turned blind eye to argument from hackers about danger of releasing 
vulnerabilities.  GOBBLES know that only hackers care about non-disclosure.  Anyone else is likely to be very boring. 
:))))

Hey, GOBBLES considered two ways of getting fame and recognition for he world-class security group... 1. put up a 
message board on bugtraq.org with gobbles group name branded all over it and let world know he have private exploits... 
2. submit ground-breaking research to the securityfocus mailing lists.....

hey, the latter has a bigger audience ;)))))))

Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAjy1k3cVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPsUEA
n0YCfbYbhyvYgWYIolGRX8FVIbCHAJ0dLAzuHGB7ruhgsINM38dBPJ2Opw==
=/r5w
-----END PGP SIGNATURE-----