OpenFTPD format string.
a8032a2d183273e02f396cf5f3841e754e681f16de385389898314da77a7b48f
-= Unl0ck Team Security Advisory =-
____ ___ __ _______ __ ___________
| | \____ | | \ _ \ ____ | | __ \__ ___/___ _____ _____
| | / \| | / /_\ \_ / ___\| |/ / | |_/ __ \\__ \ / \
| | / | \ |_\ \_/ \ \___ | < | |\ ___/ / __ \| Y Y \
|______/|___| /____/\_____ /\_____ >__|_ \ |____| \___ >____ /__|_| /
\/ \/ \/ \/ \/ \/ \/
... the best way of protection is attack
Advisory : #8 by unl0ck team
Product : openftpd (latest version)
Vendor : https://openftpd.org
Date : 24.09.2004.
Impact : format string vulnerability
Advisory URL : https://unl0ck.info/advisories/openftpd.txt
-=[ Overview
OpenFTPD is a free, open source FTP server
implementation for the UNIX platform. It is based
on FTP4ALL (www.ftp4all.de) but the differences
are quite big already.
]=-
-=[ Vulnerability
Format String Vulnerability exists in folowing files:
\openftpd-daily\src\ftpd\sections.c
\openftpd-daily\src\misc\msg.c
sections.c file:
int f4adp_sec_set(struct child_s* c, char** p, int n)
{
...
char filename[256];
char filenametmp[256];
char *q;
FILE* file;
FILE* filetmp;
...
while (fgets(str, sizeof(str), file)) {
q = str;
while (isspace(*q))
q++;
if (!strncasecmp(q, p[1], strlen(p[1])) && *(q + strlen(p[1])) == ' ') {
found = 1;
g_snprintf(str, sizeof(str), "%-20s %s\n", p[1], p[2]);
}
fprintf(filetmp, str); // <--- format string vulnerability
}
...
msg.c file:
void cat_help()
{
char name[256];
FILE *file;
char *serverdir = NULL;
...
if (!(file=fopen(name,"rt"))) {
printf("Error opening msg help file\n");
return;
}
while (fgets(name, sizeof(name)-1, file)) {
printf(name); // <--- format string vulnerability
}
...
I must say that in function cat_help() you can't manipulate. But also it's wrong and this function must be fixed!
To avoid bug use:
fprintf(filetmp, "%s", str);
and
printf("%s", name);
]=-
-=[ Credits
Found this bug D4rk Eagle
mailto:darkeagle@list.ru
Unl0ck Team [https://unl0ck.net.ru] || [https://unl0ck.info]
]=-