exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VSA0402.txt

VSA0402.txt
Posted Aug 5, 2004
Authored by Andi, Thomas Wana | Site void.at

A format string vulnerability exists in OpenFTPD versions up to 0.30.2.

tags | advisory
SHA-256 | 3d14f8de65a15da5e2a16400f1ad225b52f93ab1e94fb25bdb07df8230707879

VSA0402.txt

Change Mirror Download
[VSA0402 - openftpd - void.at security notice]

Overview
========

We have discovered a format string vulnerability in openftpd
(http://www.openftpd.org:9673/openftpd). OpenFTPD is a free,
open source FTP server implementation for the UNIX platform.
FTP4ALL is not vulnerable (it doesnt use that message system).

Affected Versions
=================

This affects openftpd version up to 0.30.2. This includes
also the old version 0.29.4.

Impact
======

Middle.
Remote Shell Access when you have an working FTP user account.

Workaround:
===========

Apply the following patch or upgrade to the latest CVS version.

cat > openftpd_formatstring.patch << _EOF_
- --- openftpd-daily.orig/src/misc/msg.c 2004-07-05 22:02:43.000000000 +0200
+++ openftpd-daily/src/misc/msg.c 2004-07-13 18:05:01.000000000 +0200
@@ -319,7 +319,7 @@
while (fgets(buff, 67, file)) {
if (*(buff+strlen(buff)-1) == '\n') *(buff+strlen(buff)-1) = 0;
sprintf(str, " !C| !0%-66s !C|!0\n", buff);
- - printf(str);
+ printf("%s", str);
}
fclose(file);
printf("!C \\__________________________________________________!Hend of message!C__/!0\n");
_EOF_

Details
=======

When a user sends a message to another user an external program will be
called (msg). It is used for the OpenFTPD message handling.

andi@hoagie:~$ ncftp
...
...
ncftp / > site msg purge
All the messages in trash box purged.
ncftp / > site msg send andi "AAAA%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x]"
Message sent to andi.
ncftp / > site msg read

.________________________________________________________________________.
| Message sent from: andi Tue 13/07/2004 18:28:46 |
| |
| AAAA0804c1e5|5e8457e0|2b379fc0|00000000|5e84572c|5e84568c|fbad8001|43212020|3021207c|41414141] |
\__________________________________________________end of message__/
Messages moved to archive box.
...
...

Lets have a look at the source code:

[openftpd-daily/src/misc/msg.c, function cat_message()]
...
while (fgets(buff, 67, file)) {
if (*(buff+strlen(buff)-1) == '\n') *(buff+strlen(buff)-1) = 0;
sprintf(str, " !C| !0%-66s !C|!0\n", buff);
printf(str);
}
...

Timeline
========

2004-04-02: Bug discovered
2004-07-14: Vendor notified (primemovr)
2004-07-16: Patch for format string bug
2004-07-22: public release

Discovered by
=============

Thomas Wana <greuff@void.at>

Further research by
===================

Andi <andi@void.at>

Credits
=======

void.at
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close