We have discovered a format string vulnerability in openftpd
(http://www.openftpd.org:9673/openftpd). OpenFTPD is a free,
open source FTP server implementation for the UNIX platform.
FTP4ALL is not vulnerable (it doesnt use that message system).
Affected Versions
=================
This affects openftpd version up to 0.30.2. This includes
also the old version 0.29.4.
Impact
======
Middle.
Remote Shell Access when you have an working FTP user account.
Workaround:
===========
Apply the following patch or upgrade to the latest CVS version.
When a user sends a message to another user an external program will be
called (msg). It is used for the OpenFTPD message handling.
andi@hoagie:~$ ncftp
...
...
ncftp / > site msg purge
All the messages in trash box purged.
ncftp / > site msg send andi "AAAA%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x]"
Message sent to andi.
ncftp / > site msg read
._______________________________________________________________________
_.
| Message sent from: andi Tue 13/07/2004 18:28:46 |
| |
| AAAA0804c1e5|5e8457e0|2b379fc0|00000000|5e84572c|5e84568c|fbad8001|43212
020|3021207c|41414141] |
\__________________________________________________end of message__/
Messages moved to archive box.
...
...
Lets have a look at the source code:
[openftpd-daily/src/misc/msg.c, function cat_message()]
...
while (fgets(buff, 67, file)) {
if (*(buff+strlen(buff)-1) == '\n') *(buff+strlen(buff)-1) = 0;
sprintf(str, " !C| !0%-66s !C|!0\n", buff);
printf(str);
}
...
Timeline
========
2004-04-02: Bug discovered
2004-07-14: Vendor notified (primemovr)
2004-07-16: Patch for format string bug
2004-07-22: public release
Discovered by
=============
Thomas Wana <greuff (at) void (dot) at [email concealed]>
Overview
========
We have discovered a format string vulnerability in openftpd
(http://www.openftpd.org:9673/openftpd). OpenFTPD is a free,
open source FTP server implementation for the UNIX platform.
FTP4ALL is not vulnerable (it doesnt use that message system).
Affected Versions
=================
This affects openftpd version up to 0.30.2. This includes
also the old version 0.29.4.
Impact
======
Middle.
Remote Shell Access when you have an working FTP user account.
Workaround:
===========
Apply the following patch or upgrade to the latest CVS version.
cat > openftpd_formatstring.patch << _EOF_
- --- openftpd-daily.orig/src/misc/msg.c 2004-07-05 22:02:43.000000000 +0200
+++ openftpd-daily/src/misc/msg.c 2004-07-13 18:05:01.000000000 +0200
@@ -319,7 +319,7 @@
while (fgets(buff, 67, file)) {
if (*(buff+strlen(buff)-1) == '\n') *(buff+strlen(buff)-1) = 0;
sprintf(str, " !C| !0%-66s !C|!0\n", buff);
- - printf(str);
+ printf("%s", str);
}
fclose(file);
printf("!C \\__________________________________________________!Hend of message!C__/!0\n");
_EOF_
Details
=======
When a user sends a message to another user an external program will be
called (msg). It is used for the OpenFTPD message handling.
andi@hoagie:~$ ncftp
...
...
ncftp / > site msg purge
All the messages in trash box purged.
ncftp / > site msg send andi "AAAA%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x]"
Message sent to andi.
ncftp / > site msg read
._______________________________________________________________________
_.
| Message sent from: andi Tue 13/07/2004 18:28:46 |
| |
| AAAA0804c1e5|5e8457e0|2b379fc0|00000000|5e84572c|5e84568c|fbad8001|43212
020|3021207c|41414141] |
\__________________________________________________end of message__/
Messages moved to archive box.
...
...
Lets have a look at the source code:
[openftpd-daily/src/misc/msg.c, function cat_message()]
...
while (fgets(buff, 67, file)) {
if (*(buff+strlen(buff)-1) == '\n') *(buff+strlen(buff)-1) = 0;
sprintf(str, " !C| !0%-66s !C|!0\n", buff);
printf(str);
}
...
Timeline
========
2004-04-02: Bug discovered
2004-07-14: Vendor notified (primemovr)
2004-07-16: Patch for format string bug
2004-07-22: public release
Discovered by
=============
Thomas Wana <greuff (at) void (dot) at [email concealed]>
Further research by
===================
Andi <andi (at) void (dot) at [email concealed]>
Credits
=======
void.at
[ reply ]