mtftpd <= 0.0.3 format string vulnerability

2005-03-31T00:00:00
ID SECURITYVULNS:DOC:8173
Type securityvulns
Reporter Securityvulns
Modified 2005-03-31T00:00:00

Description

mtftpd <= 0.0.3 format string vulnerability

number: #15 author: darkeagle date: xx.10.04 vendor: http://mtftpd.sourceforge.net status: mtftpd don't supported

overview:

mtftpd - simple ftp daemon in Unix like systems.

details:

1st of all... i wanna said, that this bug was stollen by setnf. i said to him about this bug.. and he released ( without my agree ) it under some team name.

continue... format string vulnerability was founded in this ftpd. remote user can execute evil code and gain root access.

/home/darkeagle/research/mtftpd-0.0.3/src/log.c:

static void log_do(const int err, const int prd, const char *fmt, va_list ap) {

define MAXLINE 4096

int errno_save;
char buf[MAXLINE];

...

else

syslog&#40;prd, buf&#41;;  &lt;------- format string vulnerability

endif

}

as you can see, vulnerability exist in syslog function.

/home/darkeagle/research/mtftpd-0.0.3/src/cmd.c:

CMD_P(cwd) { int ret;

if MT_DEBUG

log_msg&#40;&quot;session: &#37;d. You are into cmd_cwd&#40;&#41;&quot;, ses-&gt;ses&#41;;

endif

.... log_ret("chdir error to dir %s", path); ... }

so, from source code we can see, that vulnerability function using when remote user try to change directory with "CWD" function.

NOTE: mtftpd is vulnerable only if statistic option is enable. by default it's disabled.

exploit:

An exploit is avaible to download from our site ( http://unl0ck.org ). An exploit send special crafted data and binds shell on 2003 port.

greetz: all unl0ckerz, nosystemz, rosielloz etc..

(c) uKt Research 2004-2005 http://unl0ck.org

darkeagle [at] linkin-park [dot] cc darkeagle [at] unl0ck [dot] org