'[Full-Disclosure] [VSA0402] OpenFTPD format string vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-Disclosure] [VSA0402] OpenFTPD format string vulnerability
From:       "VOID.AT Security" <crew () void ! at>
Date:       2004-07-30 10:55:07
Message-ID: 20040730105507.GA9666 () moon ! void ! at
[Download RAW message or body]

[VSA0402 - openftpd - void.at security notice]

Overview
========

We have discovered a format string vulnerability in openftpd
(http://www.openftpd.org:9673/openftpd). OpenFTPD is a free,
open source FTP server implementation for the UNIX platform.
FTP4ALL is not vulnerable (it doesnt use that message system).

Affected Versions
=================

This affects openftpd version up to 0.30.2. This includes
also the old version 0.29.4.

Impact
======

Middle.
Remote Shell Access when you have an working FTP user account. 

Workaround:
===========

Apply the following patch or upgrade to the latest CVS version.

cat > openftpd_formatstring.patch << _EOF_
--- openftpd-daily.orig/src/misc/msg.c  2004-07-05 22:02:43.000000000 +0200
+++ openftpd-daily/src/misc/msg.c       2004-07-13 18:05:01.000000000 +0200
@@ -319,7 +319,7 @@
    while (fgets(buff, 67, file)) {
       if (*(buff+strlen(buff)-1) == '\n') *(buff+strlen(buff)-1) = 0;
       sprintf(str, "  !C| !0%-66s !C|!0\n", buff);
-      printf(str);
+      printf("%s", str);
    }
    fclose(file);
    printf("!C   \\__________________________________________________!Hend of message!C__/!0\n");
_EOF_

Details
=======

When a user sends a message to another user an external program will be
called (msg). It is used for the OpenFTPD message handling.

andi@hoagie:~$ ncftp
...
...
ncftp / > site msg purge
All the messages in trash box purged.
ncftp / > site msg send andi "AAAA%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x]"
Message sent to andi.
ncftp / > site msg read

.________________________________________________________________________.
  | Message sent from: andi                    Tue 13/07/2004 18:28:46 |
  |                                                                    |
  | AAAA0804c1e5|5e8457e0|2b379fc0|00000000|5e84572c|5e84568c|fbad8001|43212020|3021207c|41414141]             |
   \__________________________________________________end of message__/
Messages moved to archive box.
...
...

Lets have a look at the source code:

[openftpd-daily/src/misc/msg.c, function cat_message()]
...
   while (fgets(buff, 67, file)) {
      if (*(buff+strlen(buff)-1) == '\n') *(buff+strlen(buff)-1) = 0;
      sprintf(str, "  !C| !0%-66s !C|!0\n", buff);
      printf(str);
   }
...

Timeline
========

2004-04-02: Bug discovered
2004-07-14: Vendor notified (primemovr)
2004-07-16: Patch for format string bug
2004-07-22: public release

Discovered by
=============

Thomas Wana <greuff@void.at>

Further research by
===================

Andi <andi@void.at>

Credits
=======

void.at

[Attachment #3 (application/pgp-signature)]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic