Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (File Transfer/Sharing)  >   OpenFTPD Vendors:
OpenFTPD Format String Flaw Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010823
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 30 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.30.2 prior to July 16, 2004, and prior versions
Description:   A vulnerability was reported in OpenFTPD. A remote authenticated user can execute arbitrary code on the target system.

VOID.AT Security reported that a remote authenticated user can send a specially crafted message to another FTP user to trigger a format string flaw and execute arbitrary code on the FTP server.

The flaw resides in 'misc/msg.c'.

A demonstration exploit command is provided:

site msg send andi "AAAA%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x]"

The vendor was reportedly notified on July 14, 2004.

Thomas Wana is credited with discovering this vulnerability.

Impact:   A remote authenticated user can execute arbitrary code on the target system with the privileges of the FTP service.
Solution:   The vendor has released a fixed version (0.30.2 as of July 16, 2004), available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-Disclosure] [VSA0402] OpenFTPD format string vulnerability

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

[VSA0402 - openftpd - security notice]


We have discovered a format string vulnerability in openftpd
( OpenFTPD is a free,
open source FTP server implementation for the UNIX platform.
FTP4ALL is not vulnerable (it doesnt use that message system).

Affected Versions

This affects openftpd version up to 0.30.2. This includes
also the old version 0.29.4.


Remote Shell Access when you have an working FTP user account.=20


Apply the following patch or upgrade to the latest CVS version.

cat > openftpd_formatstring.patch << _EOF_
--- openftpd-daily.orig/src/misc/msg.c  2004-07-05 22:02:43.000000000 +0200
+++ openftpd-daily/src/misc/msg.c       2004-07-13 18:05:01.000000000 +0200
@@ -319,7 +319,7 @@
    while (fgets(buff, 67, file)) {
       if (*(buff+strlen(buff)-1) =3D=3D '\n') *(buff+strlen(buff)-1) =3D 0;
       sprintf(str, "  !C| !0%-66s !C|!0\n", buff);
-      printf(str);
+      printf("%s", str);
    printf("!C   \\__________________________________________________!Hend =
of message!C__/!0\n");


When a user sends a message to another user an external program will be
called (msg). It is used for the OpenFTPD message handling.

andi@hoagie:~$ ncftp
ncftp / > site msg purge
All the messages in trash box purged.
ncftp / > site msg send andi "AAAA%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%=
Message sent to andi.
ncftp / > site msg read

  | Message sent from: andi                    Tue 13/07/2004 18:28:46 |
  |                                                                    |
  | AAAA0804c1e5|5e8457e0|2b379fc0|00000000|5e84572c|5e84568c|fbad8001|4321=
2020|3021207c|41414141]             |
   \__________________________________________________end of message__/
Messages moved to archive box.

Lets have a look at the source code:

[openftpd-daily/src/misc/msg.c, function cat_message()]
   while (fgets(buff, 67, file)) {
      if (*(buff+strlen(buff)-1) =3D=3D '\n') *(buff+strlen(buff)-1) =3D 0;
      sprintf(str, "  !C| !0%-66s !C|!0\n", buff);


2004-04-02: Bug discovered
2004-07-14: Vendor notified (primemovr)
2004-07-16: Patch for format string bug
2004-07-22: public release

Discovered by

Thomas Wana <>

Further research by

Andi <>


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.4 (GNU/Linux)



Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC