mtftpd format string.
aac5d22fba63ad99af1942a0881a5ab9ff7b204bf3f47149a6e0a406c8a9ebcd
mtftpd <= 0.0.3 format string vulnerability
number: #15
author: darkeagle
date: xx.10.04
vendor: http://mtftpd.sourceforge.net
status: mtftpd doesn't supported
overview:
mtftpd - simple ftp daemon in Unix like systems.
details:
1st of all... i wanna said, that this bug was stollen by setnf.
i said to him about this bug.. and he released ( without my agree ) it under some team name.
continue...
format string vulnerability was founded in this ftpd.
remote user can execute evil code and gain root access.
/home/darkeagle/research/mtftpd-0.0.3/src/log.c:
static void log_do(const int err, const int prd, const char *fmt, va_list ap)
{
#define MAXLINE 4096
int errno_save;
char buf[MAXLINE];
...
#else
syslog(prd, buf); <------- format string vulnerability
#endif
}
as you can see, vulnerability exist in syslog function.
/home/darkeagle/research/mtftpd-0.0.3/src/cmd.c:
CMD_P(cwd)
{
int ret;
#if MT_DEBUG
log_msg("session: %d. You are into cmd_cwd()", ses->ses);
#endif
....
log_ret("chdir error to dir %s", path);
...
}
so, from source code we can see, that vulnerability function using when remote user
try to change directory with "CWD" function.
NOTE:
mtftpd is vulnerable only if statistic option is enable. by default it's disabled.
exploit:
An exploit is avaible to download from our site ( http://unl0ck.org ).
An exploit send special crafted data and binds shell on 2003 port.
greetz:
all unl0ckerz, nosystemz, rosielloz etc..
(c) uKt Research
2004-2005
http://unl0ck.org
darkeagle [at] linkin-park [dot] cc
darkeagle [at] unl0ck [dot] org