mtftpd <= 0.0.3 format string vulnerability

number: #15
author: darkeagle
date: xx.10.04
vendor: http://mtftpd.sourceforge.net
status: mtftpd doesn't supported

overview:

mtftpd - simple ftp daemon in Unix like systems.

details:

1st of all... i wanna said, that this bug was stollen by setnf.
i said to him about this bug.. and he released ( without my agree ) it under some team name.

continue...
format string vulnerability was founded in this ftpd.
remote user can execute evil code and gain root access.

/home/darkeagle/research/mtftpd-0.0.3/src/log.c:

static void log_do(const int err, const int prd, const char *fmt, va_list ap)
{
#define MAXLINE 4096
  int errno_save;
  char buf[MAXLINE];
...
#else
  syslog(prd, buf);  <------- format string vulnerability
#endif
}

as you can see, vulnerability exist in syslog function.

/home/darkeagle/research/mtftpd-0.0.3/src/cmd.c:

CMD_P(cwd)
{
  int ret;

#if MT_DEBUG
  log_msg("session: %d. You are into cmd_cwd()", ses->ses);
#endif
....
    log_ret("chdir error to dir %s", path);
...
}

so, from source code we can see, that vulnerability function using when remote user
try to change directory with "CWD" function.

NOTE:
mtftpd is vulnerable only if statistic option is enable. by default it's disabled.

exploit:

An exploit is avaible to download from our site ( http://unl0ck.org ).
An exploit send special crafted data and binds shell on 2003 port.

greetz:
all unl0ckerz, nosystemz, rosielloz etc..

(c) uKt Research
    2004-2005
http://unl0ck.org

darkeagle [at] linkin-park [dot] cc
darkeagle [at] unl0ck [dot] org