Date: 1 Aug 2004 15:26:14 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [UNIX] OpenFTPD Format String Vulnerability
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
OpenFTPD Format String Vulnerability
------------------------------------------------------------------------
SUMMARY
OpenFTPD is a free, open source FTP server implementation for the UNIX
platform.
OpenFTPD suffers from a format string vulnerability when handling the SITE
MSG command.
DETAILS
Vulnerable Systems:
* OpenFTPD 0.30.2 and prior
Immune Systems:
* OpenFTPD 0.30.2 - Immune since 2004-07-16
Impact:
Remote execution of arbitrary code by an attacker having a working FTP
account on the remote server
Technical Details:
When a user sends a message to another user using the SITE MSG command an
external program will be called (msg). It is used by the OpenFTPD message
handling.
andi@hoagie:~$ ncftp
..
..
ncftp / > site msg purge
All the messages in trash box purged.
ncftp / > site msg send andi
"AAAA%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x]"
Message sent to andi.
ncftp / > site msg read
| Message sent from: andi Tue 13/07/2004 18:28:46
|
|
AAAA0804c1e5|5e8457e0|2b379fc0|00000000|5e84572c|5e84568c|fbad8001|43212020|3021207c|41414141]
Vulnerable Code:
>From openftpd-daily/src/misc/msg.c, function cat_message():
--------------------------------- Begin Code
---------------------------------
..
while (fgets(buff, 67, file)) {
if (*(buff+strlen(buff)-1) == '\n') *(buff+strlen(buff)-1) = 0;
sprintf(str, " !C| !0%-66s !C|!0\n", buff);
printf(str); //<--- should be printf("%s",str);
}
..
---------------------------------- End Code
----------------------------------
Vendor Status:
The vendor has been contacted and a newer version is available for
download. Users are encouraged to upgrade to the newer version, which is
available at <http://www.openftpd.org:9673/openftpd/> www.openftpd.org.
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> Thomas Wana.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
