[VSA0402 - openftpd - void.at security notice] Overview ======== We have discovered a format string vulnerability in openftpd (http://www.openftpd.org:9673/openftpd). OpenFTPD is a free, open source FTP server implementation for the UNIX platform. FTP4ALL is not vulnerable (it doesnt use that message system). Affected Versions ================= This affects openftpd version up to 0.30.2. This includes also the old version 0.29.4. Impact ====== Middle. Remote Shell Access when you have an working FTP user account. Workaround: =========== Apply the following patch or upgrade to the latest CVS version. cat > openftpd_formatstring.patch << _EOF_ - --- openftpd-daily.orig/src/misc/msg.c 2004-07-05 22:02:43.000000000 +0200 +++ openftpd-daily/src/misc/msg.c 2004-07-13 18:05:01.000000000 +0200 @@ -319,7 +319,7 @@ while (fgets(buff, 67, file)) { if (*(buff+strlen(buff)-1) == '\n') *(buff+strlen(buff)-1) = 0; sprintf(str, " !C| !0%-66s !C|!0\n", buff); - - printf(str); + printf("%s", str); } fclose(file); printf("!C \\__________________________________________________!Hend of message!C__/!0\n"); _EOF_ Details ======= When a user sends a message to another user an external program will be called (msg). It is used for the OpenFTPD message handling. andi@hoagie:~$ ncftp ... ... ncftp / > site msg purge All the messages in trash box purged. ncftp / > site msg send andi "AAAA%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x]" Message sent to andi. ncftp / > site msg read .________________________________________________________________________. | Message sent from: andi Tue 13/07/2004 18:28:46 | | | | AAAA0804c1e5|5e8457e0|2b379fc0|00000000|5e84572c|5e84568c|fbad8001|43212020|3021207c|41414141] | \__________________________________________________end of message__/ Messages moved to archive box. ... ... Lets have a look at the source code: [openftpd-daily/src/misc/msg.c, function cat_message()] ... while (fgets(buff, 67, file)) { if (*(buff+strlen(buff)-1) == '\n') *(buff+strlen(buff)-1) = 0; sprintf(str, " !C| !0%-66s !C|!0\n", buff); printf(str); } ... Timeline ======== 2004-04-02: Bug discovered 2004-07-14: Vendor notified (primemovr) 2004-07-16: Patch for format string bug 2004-07-22: public release Discovered by ============= Thomas Wana <greuff@xxxxxxx> Further research by =================== Andi <andi@xxxxxxx> Credits ======= void.at
Attachment:
pgp1Bl1cdbhJ0.pgp
Description: PGP signature