openftpd.txt

openftpd.txt: Posted Nov 2, 2005; Authored by unl0ck | Site exploiterz.org; OpenFTPD format string.; SHA-256 | a8032a2d183273e02f396cf5f3841e754e681f16de385389898314da77a7b48f; Download | Favorite | View

openftpd.txt

                        -= Unl0ck Team Security Advisory =-

        ____ ___       __  _______           __      ___________
       |    |   \____ |  | \   _  \    ____ |  | __  \__    ___/___ _____    _____
       |    |   /    \|  | /  /_\  \_ / ___\|  |/ /    |    |_/ __ \\__  \  /     \
       |    |  /   |  \  |_\  \_/   \  \___ |    <     |    |\  ___/ / __ \|  Y Y  \
       |______/|___|  /____/\_____  /\_____ >__|_ \    |____| \___  >____  /__|_|  /
                    \/            \/       \/    \/               \/     \/      \/
                         ... the best way of protection is attack

Advisory          : #8 by unl0ck team
Product           : openftpd (latest version)
Vendor            : https://openftpd.org
Date              : 24.09.2004.
Impact            : format string vulnerability
Advisory URL      : https://unl0ck.info/advisories/openftpd.txt

-=[ Overview

OpenFTPD  is  a  free,  open  source  FTP   server
implementation for the UNIX platform. It is  based
on  FTP4ALL (www.ftp4all.de)  but the  differences
are quite big already.

  ]=-
  
-=[ Vulnerability

Format String Vulnerability exists in folowing files:

\openftpd-daily\src\ftpd\sections.c
\openftpd-daily\src\misc\msg.c

sections.c file:

int f4adp_sec_set(struct child_s* c, char** p, int n)
{
...
    char              filename[256];
    char              filenametmp[256];
    char              *q;
    FILE*             file;
    FILE*             filetmp;
...
 while (fgets(str, sizeof(str), file)) {
      q = str;
      while (isspace(*q))
         q++;
      if (!strncasecmp(q, p[1], strlen(p[1])) && *(q + strlen(p[1])) == ' ') {
         found = 1;
         g_snprintf(str, sizeof(str), "%-20s               %s\n", p[1], p[2]);
      }
      fprintf(filetmp, str); // <--- format string vulnerability
   }

...

msg.c file:

void cat_help()
{
   char name[256];
   FILE *file;
   char *serverdir = NULL;
...
   if (!(file=fopen(name,"rt"))) {
      printf("Error opening msg help file\n");
      return;
   }
   while (fgets(name, sizeof(name)-1, file)) {
      printf(name); // <--- format string vulnerability
   }
...

I must say that in function cat_help() you can't manipulate. But also it's wrong and this function must be fixed!

To avoid bug use:

fprintf(filetmp, "%s", str);
and
printf("%s", name);

  ]=-
  
-=[ Credits

Found this bug D4rk Eagle
mailto:darkeagle@list.ru
Unl0ck Team [https://unl0ck.net.ru] || [https://unl0ck.info]

  ]=-

Top Authors In Last 30 Days

Red Hat 229 files
indoushka 167 files
Jay Turla 150 files
Ubuntu 67 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

openftpd.txt

openftpd.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

openftpd.txt

Share This

openftpd.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems