-= Unl0ck Team Security Advisory =- ____ ___ __ _______ __ ___________ | | \____ | | \ _ \ ____ | | __ \__ ___/___ _____ _____ | | / \| | / /_\ \_ / ___\| |/ / | |_/ __ \\__ \ / \ | | / | \ |_\ \_/ \ \___ | < | |\ ___/ / __ \| Y Y \ |______/|___| /____/\_____ /\_____ >__|_ \ |____| \___ >____ /__|_| / \/ \/ \/ \/ \/ \/ \/ ... the best way of protection is attack Advisory : #8 by unl0ck team Product : openftpd (latest version) Vendor : http://openftpd.org Date : 24.09.2004. Impact : format string vulnerability Advisory URL : http://unl0ck.info/advisories/openftpd.txt -=[ Overview OpenFTPD is a free, open source FTP server implementation for the UNIX platform. It is based on FTP4ALL (www.ftp4all.de) but the differences are quite big already. ]=- -=[ Vulnerability Format String Vulnerability exists in folowing files: \openftpd-daily\src\ftpd\sections.c \openftpd-daily\src\misc\msg.c sections.c file: int f4adp_sec_set(struct child_s* c, char** p, int n) { ... char filename[256]; char filenametmp[256]; char *q; FILE* file; FILE* filetmp; ... while (fgets(str, sizeof(str), file)) { q = str; while (isspace(*q)) q++; if (!strncasecmp(q, p[1], strlen(p[1])) && *(q + strlen(p[1])) == ' ') { found = 1; g_snprintf(str, sizeof(str), "%-20s %s\n", p[1], p[2]); } fprintf(filetmp, str); // <--- format string vulnerability } ... msg.c file: void cat_help() { char name[256]; FILE *file; char *serverdir = NULL; ... if (!(file=fopen(name,"rt"))) { printf("Error opening msg help file\n"); return; } while (fgets(name, sizeof(name)-1, file)) { printf(name); // <--- format string vulnerability } ... I must say that in function cat_help() you can't manipulate. But also it's wrong and this function must be fixed! To avoid bug use: fprintf(filetmp, "%s", str); and printf("%s", name); ]=- -=[ Credits Found this bug D4rk Eagle mailto:darkeagle@list.ru Unl0ck Team [http://unl0ck.net.ru] || [http://unl0ck.info] ]=-