[Please upgrade if you run OpenFTPD -- Raju]
This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="J/dobhs11T7y2rNN"
Content-Disposition: inline
Message-ID: <[EMAIL PROTECTED]>
From: "VOID.AT Security" <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] [VSA0402] OpenFTPD format string vulnerability
Date: Fri, 30 Jul 2004 12:55:07 +0200
--J/dobhs11T7y2rNN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
[VSA0402 - openftpd - void.at security notice]
Overview
=3D=3D=3D=3D=3D=3D=3D=3D
We have discovered a format string vulnerability in openftpd
(http://www.openftpd.org:9673/openftpd). OpenFTPD is a free,
open source FTP server implementation for the UNIX platform.
FTP4ALL is not vulnerable (it doesnt use that message system).
Affected Versions
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This affects openftpd version up to 0.30.2. This includes
also the old version 0.29.4.
Impact
=3D=3D=3D=3D=3D=3D
Middle.
Remote Shell Access when you have an working FTP user account.=20
Workaround:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Apply the following patch or upgrade to the latest CVS version.
cat > openftpd_formatstring.patch << _EOF_
--- openftpd-daily.orig/src/misc/msg.c 2004-07-05 22:02:43.000000000 +0200
+++ openftpd-daily/src/misc/msg.c 2004-07-13 18:05:01.000000000 +0200
@@ -319,7 +319,7 @@
while (fgets(buff, 67, file)) {
if (*(buff+strlen(buff)-1) =3D=3D '\n') *(buff+strlen(buff)-1) =3D 0;
sprintf(str, " !C| !0%-66s !C|!0\n", buff);
- printf(str);
+ printf("%s", str);
}
fclose(file);
printf("!C \\__________________________________________________!Hend =
of message!C__/!0\n");
_EOF_
Details
=3D=3D=3D=3D=3D=3D=3D
When a user sends a message to another user an external program will be
called (msg). It is used for the OpenFTPD message handling.
[EMAIL PROTECTED]:~$ ncftp
=2E..
=2E..
ncftp / > site msg purge
All the messages in trash box purged.
ncftp / > site msg send andi "AAAA%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%=
08x|%08x]"
Message sent to andi.
ncftp / > site msg read
=2E________________________________________________________________________.
| Message sent from: andi Tue 13/07/2004 18:28:46 |
| |
| AAAA0804c1e5|5e8457e0|2b379fc0|00000000|5e84572c|5e84568c|fbad8001|4321=
2020|3021207c|41414141] |
\__________________________________________________end of message__/
Messages moved to archive box.
=2E..
=2E..
Lets have a look at the source code:
[openftpd-daily/src/misc/msg.c, function cat_message()]
=2E..
while (fgets(buff, 67, file)) {
if (*(buff+strlen(buff)-1) =3D=3D '\n') *(buff+strlen(buff)-1) =3D 0;
sprintf(str, " !C| !0%-66s !C|!0\n", buff);
printf(str);
}
=2E..
Timeline
=3D=3D=3D=3D=3D=3D=3D=3D
2004-04-02: Bug discovered
2004-07-14: Vendor notified (primemovr)
2004-07-16: Patch for format string bug
2004-07-22: public release
Discovered by
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Thomas Wana <[EMAIL PROTECTED]>
Further research by
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Andi <[EMAIL PROTECTED]>
Credits
=3D=3D=3D=3D=3D=3D=3D
void.at
--J/dobhs11T7y2rNN
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBCikJp97BNrByI3oRAjtqAJ93iT5HtJvxcDOBjcZ/1RvGtof2SQCeIV7+
Thl6yy0Z84ow+hiKOHIcC6A=
=fjmj
-----END PGP SIGNATURE-----
--J/dobhs11T7y2rNN--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
------------------------------
End of this Digest
******************
--
Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/
GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F
It is the mind that moves
_______________________________________________
ilugd mailinglist -- [EMAIL PROTECTED]
http://frodo.hserus.net/mailman/listinfo/ilugd
Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi
http://www.mail-archive.com/[EMAIL PROTECTED]/