SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   OpenFTPD Vendors:   openftpd.org
OpenFTPD Format String Flaw Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010823
SecurityTracker URL:  http://securitytracker.com/id/1010823
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 30 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.30.2 prior to July 16, 2004, and prior versions
Description:   A vulnerability was reported in OpenFTPD. A remote authenticated user can execute arbitrary code on the target system.

VOID.AT Security reported that a remote authenticated user can send a specially crafted message to another FTP user to trigger a format string flaw and execute arbitrary code on the FTP server.

The flaw resides in 'misc/msg.c'.

A demonstration exploit command is provided:

site msg send andi "AAAA%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x]"

The vendor was reportedly notified on July 14, 2004.

Thomas Wana is credited with discovering this vulnerability.

Impact:   A remote authenticated user can execute arbitrary code on the target system with the privileges of the FTP service.
Solution:   The vendor has released a fixed version (0.30.2 as of July 16, 2004), available at:

http://www.openftpd.org:9673/openftpd/download_page.html

Vendor URL:  www.openftpd.org:9673/openftpd/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] [VSA0402] OpenFTPD format string vulnerability



--J/dobhs11T7y2rNN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

[VSA0402 - openftpd - void.at security notice]

Overview
=3D=3D=3D=3D=3D=3D=3D=3D

We have discovered a format string vulnerability in openftpd
(http://www.openftpd.org:9673/openftpd). OpenFTPD is a free,
open source FTP server implementation for the UNIX platform.
FTP4ALL is not vulnerable (it doesnt use that message system).

Affected Versions
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This affects openftpd version up to 0.30.2. This includes
also the old version 0.29.4.

Impact
=3D=3D=3D=3D=3D=3D

Middle.
Remote Shell Access when you have an working FTP user account.=20

Workaround:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Apply the following patch or upgrade to the latest CVS version.

cat > openftpd_formatstring.patch << _EOF_
--- openftpd-daily.orig/src/misc/msg.c  2004-07-05 22:02:43.000000000 +0200
+++ openftpd-daily/src/misc/msg.c       2004-07-13 18:05:01.000000000 +0200
@@ -319,7 +319,7 @@
    while (fgets(buff, 67, file)) {
       if (*(buff+strlen(buff)-1) =3D=3D '\n') *(buff+strlen(buff)-1) =3D 0;
       sprintf(str, "  !C| !0%-66s !C|!0\n", buff);
-      printf(str);
+      printf("%s", str);
    }
    fclose(file);
    printf("!C   \\__________________________________________________!Hend =
of message!C__/!0\n");
_EOF_

Details
=3D=3D=3D=3D=3D=3D=3D

When a user sends a message to another user an external program will be
called (msg). It is used for the OpenFTPD message handling.

andi@hoagie:~$ ncftp
=2E..
=2E..
ncftp / > site msg purge
All the messages in trash box purged.
ncftp / > site msg send andi "AAAA%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%=
08x|%08x]"
Message sent to andi.
ncftp / > site msg read

=2E________________________________________________________________________.
  | Message sent from: andi                    Tue 13/07/2004 18:28:46 |
  |                                                                    |
  | AAAA0804c1e5|5e8457e0|2b379fc0|00000000|5e84572c|5e84568c|fbad8001|4321=
2020|3021207c|41414141]             |
   \__________________________________________________end of message__/
Messages moved to archive box.
=2E..
=2E..

Lets have a look at the source code:

[openftpd-daily/src/misc/msg.c, function cat_message()]
=2E..
   while (fgets(buff, 67, file)) {
      if (*(buff+strlen(buff)-1) =3D=3D '\n') *(buff+strlen(buff)-1) =3D 0;
      sprintf(str, "  !C| !0%-66s !C|!0\n", buff);
      printf(str);
   }
=2E..

Timeline
=3D=3D=3D=3D=3D=3D=3D=3D

2004-04-02: Bug discovered
2004-07-14: Vendor notified (primemovr)
2004-07-16: Patch for format string bug
2004-07-22: public release

Discovered by
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Thomas Wana <greuff@void.at>

Further research by
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Andi <andi@void.at>

Credits
=3D=3D=3D=3D=3D=3D=3D

void.at

--J/dobhs11T7y2rNN
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBCikJp97BNrByI3oRAjtqAJ93iT5HtJvxcDOBjcZ/1RvGtof2SQCeIV7+
Thl6yy0Z84ow+hiKOHIcC6A=
=fjmj
-----END PGP SIGNATURE-----

--J/dobhs11T7y2rNN--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC