VSA0402.txt

VSA0402.txt: Posted Aug 5, 2004; Authored by Andi, Thomas Wana | Site void.at; A format string vulnerability exists in OpenFTPD versions up to 0.30.2.; tags | advisory; SHA-256 | 3d14f8de65a15da5e2a16400f1ad225b52f93ab1e94fb25bdb07df8230707879; Download | Favorite | View

VSA0402.txt

[VSA0402 - openftpd - void.at security notice]

Overview
========

We have discovered a format string vulnerability in openftpd
(http://www.openftpd.org:9673/openftpd). OpenFTPD is a free,
open source FTP server implementation for the UNIX platform.
FTP4ALL is not vulnerable (it doesnt use that message system).

Affected Versions
=================

This affects openftpd version up to 0.30.2. This includes
also the old version 0.29.4.

Impact
======

Middle.
Remote Shell Access when you have an working FTP user account. 

Workaround:
===========

Apply the following patch or upgrade to the latest CVS version.

cat > openftpd_formatstring.patch << _EOF_
- --- openftpd-daily.orig/src/misc/msg.c  2004-07-05 22:02:43.000000000 +0200
+++ openftpd-daily/src/misc/msg.c       2004-07-13 18:05:01.000000000 +0200
@@ -319,7 +319,7 @@
    while (fgets(buff, 67, file)) {
       if (*(buff+strlen(buff)-1) == '\n') *(buff+strlen(buff)-1) = 0;
       sprintf(str, "  !C| !0%-66s !C|!0\n", buff);
- -      printf(str);
+      printf("%s", str);
    }
    fclose(file);
    printf("!C   \\__________________________________________________!Hend of message!C__/!0\n");
_EOF_

Details
=======

When a user sends a message to another user an external program will be
called (msg). It is used for the OpenFTPD message handling.

andi@hoagie:~$ ncftp
...
...
ncftp / > site msg purge
All the messages in trash box purged.
ncftp / > site msg send andi "AAAA%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x]"
Message sent to andi.
ncftp / > site msg read

.________________________________________________________________________.
  | Message sent from: andi                    Tue 13/07/2004 18:28:46 |
  |                                                                    |
  | AAAA0804c1e5|5e8457e0|2b379fc0|00000000|5e84572c|5e84568c|fbad8001|43212020|3021207c|41414141]             |
   \__________________________________________________end of message__/
Messages moved to archive box.
...
...

Lets have a look at the source code:

[openftpd-daily/src/misc/msg.c, function cat_message()]
...
   while (fgets(buff, 67, file)) {
      if (*(buff+strlen(buff)-1) == '\n') *(buff+strlen(buff)-1) = 0;
      sprintf(str, "  !C| !0%-66s !C|!0\n", buff);
      printf(str);
   }
...

Timeline
========

2004-04-02: Bug discovered
2004-07-14: Vendor notified (primemovr)
2004-07-16: Patch for format string bug
2004-07-22: public release

Discovered by
=============

Thomas Wana <greuff@void.at>

Further research by
===================

Andi <andi@void.at>

Credits
=======

void.at

Top Authors In Last 30 Days

Red Hat 216 files
Ubuntu 78 files
indoushka 77 files
Jasper Nota 25 files
Gentoo 22 files
Willem Westerhof 19 files
Debian 18 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,553)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,689)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,482)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,736)
UNIX (9,435)
UnixWare (187)
Windows (6,671)
Other

VSA0402.txt

VSA0402.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

VSA0402.txt

Share This

VSA0402.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems