|
|
|
|
| |
OpenFTPD is a free, open source FTP server implementation for the UNIX platform.
OpenFTPD suffers from a format string vulnerability when handling the SITE MSG command. |
| |
Credit:
The information has been provided by Thomas Wana.
|
| |
Vulnerable Systems:
* OpenFTPD 0.30.2 and prior
Immune Systems:
* OpenFTPD 0.30.2 - Immune since 2004-07-16
Impact:
Remote execution of arbitrary code by an attacker having a working FTP account on the remote server
Technical Details:
When a user sends a message to another user using the SITE MSG command an external program will be called (msg). It is used by the OpenFTPD message handling.
andi@hoagie:~$ ncftp
...
...
ncftp / > site msg purge
All the messages in trash box purged.
ncftp / > site msg send andi "AAAA%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x]"
Message sent to andi.
ncftp / > site msg read
| Message sent from: andi Tue 13/07/2004 18:28:46
|
| AAAA0804c1e5|5e8457e0|2b379fc0|00000000|5e84572c|5e84568c|fbad8001|43212020|3021207c|41414141]
Vulnerable Code:
From openftpd-daily/src/misc/msg.c, function cat_message():
--------------------------------- Begin Code ---------------------------------
...
while (fgets(buff, 67, file)) {
if (*(buff+strlen(buff)-1) == '\n') *(buff+strlen(buff)-1) = 0;
sprintf(str, " !C| !0%-66s !C|!0\n", buff);
printf(str); //<--- should be printf("%s",str);
}
...
---------------------------------- End Code ----------------------------------
Vendor Status:
The vendor has been contacted and a newer version is available for download. Users are encouraged to upgrade to the newer version, which is available at www.openftpd.org.
|
|
|
|
|
|
|
