[LIH](fwd) [SECURITY] [VSA0402] OpenFTPD format string vulnerability

Fri, 30 Jul 2004 09:45:34 -0700 

[Please upgrade if you run OpenFTPD -- Raju]

This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------

Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="J/dobhs11T7y2rNN"
Content-Disposition: inline
Message-ID: <[EMAIL PROTECTED]>
From: "VOID.AT Security" <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] [VSA0402] OpenFTPD format string vulnerability
Date: Fri, 30 Jul 2004 12:55:07 +0200


--J/dobhs11T7y2rNN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

[VSA0402 - openftpd - void.at security notice]

Overview
=3D=3D=3D=3D=3D=3D=3D=3D

We have discovered a format string vulnerability in openftpd
(http://www.openftpd.org:9673/openftpd). OpenFTPD is a free,
open source FTP server implementation for the UNIX platform.
FTP4ALL is not vulnerable (it doesnt use that message system).

Affected Versions
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This affects openftpd version up to 0.30.2. This includes
also the old version 0.29.4.

Impact
=3D=3D=3D=3D=3D=3D

Middle.
Remote Shell Access when you have an working FTP user account.=20

Workaround:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Apply the following patch or upgrade to the latest CVS version.

cat > openftpd_formatstring.patch << _EOF_
--- openftpd-daily.orig/src/misc/msg.c  2004-07-05 22:02:43.000000000 +0200
+++ openftpd-daily/src/misc/msg.c       2004-07-13 18:05:01.000000000 +0200
@@ -319,7 +319,7 @@
    while (fgets(buff, 67, file)) {
       if (*(buff+strlen(buff)-1) =3D=3D '\n') *(buff+strlen(buff)-1) =3D 0;
       sprintf(str, "  !C| !0%-66s !C|!0\n", buff);
-      printf(str);
+      printf("%s", str);
    }
    fclose(file);
    printf("!C   \\__________________________________________________!Hend =
of message!C__/!0\n");
_EOF_

Details
=3D=3D=3D=3D=3D=3D=3D

When a user sends a message to another user an external program will be
called (msg). It is used for the OpenFTPD message handling.

[EMAIL PROTECTED]:~$ ncftp
=2E..
=2E..
ncftp / > site msg purge
All the messages in trash box purged.
ncftp / > site msg send andi "AAAA%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%=
08x|%08x]"
Message sent to andi.
ncftp / > site msg read

=2E________________________________________________________________________.
  | Message sent from: andi                    Tue 13/07/2004 18:28:46 |
  |                                                                    |
  | AAAA0804c1e5|5e8457e0|2b379fc0|00000000|5e84572c|5e84568c|fbad8001|4321=
2020|3021207c|41414141]             |
   \__________________________________________________end of message__/
Messages moved to archive box.
=2E..
=2E..

Lets have a look at the source code:

[openftpd-daily/src/misc/msg.c, function cat_message()]
=2E..
   while (fgets(buff, 67, file)) {
      if (*(buff+strlen(buff)-1) =3D=3D '\n') *(buff+strlen(buff)-1) =3D 0;
      sprintf(str, "  !C| !0%-66s !C|!0\n", buff);
      printf(str);
   }
=2E..

Timeline
=3D=3D=3D=3D=3D=3D=3D=3D

2004-04-02: Bug discovered
2004-07-14: Vendor notified (primemovr)
2004-07-16: Patch for format string bug
2004-07-22: public release

Discovered by
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Thomas Wana <[EMAIL PROTECTED]>

Further research by
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Andi <[EMAIL PROTECTED]>

Credits
=3D=3D=3D=3D=3D=3D=3D

void.at

--J/dobhs11T7y2rNN
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBCikJp97BNrByI3oRAjtqAJ93iT5HtJvxcDOBjcZ/1RvGtof2SQCeIV7+
Thl6yy0Z84ow+hiKOHIcC6A=
=fjmj
-----END PGP SIGNATURE-----

--J/dobhs11T7y2rNN--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

------------------------------

End of this Digest
******************

-- 
Raj Mathur                [EMAIL PROTECTED]      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                      It is the mind that moves


-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/linux-india-help

Reply via email to