Vulnerabilities > CVE-2004-2523 - Remote Message Format String vulnerability in Openftpd FTP Server 0.29.4/0.30/0.30.1

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
openftpd
nessus
exploit available

Summary

Format string vulnerability in the msg command (cat_message function in msg.c) in OpenFTPD 0.30.2 and earlier allows remote authenticated users to execute arbitrary code via format string specifiers in the message argument.

Exploit-Db

  • descriptionOpenFTPD <= 0.30.1 (message system) Remote Shell Exploit. CVE-2004-2523. Remote exploit for linux platform
    idEDB-ID:373
    last seen2016-01-31
    modified2004-08-04
    published2004-08-04
    reporterinfamous41md
    sourcehttps://www.exploit-db.com/download/373/
    titleOpenFTPD <= 0.30.1 message system Remote Shell Exploit
  • descriptionOpenFTPD (<= 0.30.2) Remote Exploit. CVE-2004-2523. Remote exploit for linux platform
    idEDB-ID:372
    last seen2016-01-31
    modified2004-08-03
    published2004-08-03
    reporterAndi
    sourcehttps://www.exploit-db.com/download/372/
    titleOpenFTPD <= 0.30.2 - Remote Exploit

Nessus

NASL familyFTP
NASL idOPENFTPD_DETECTION.NASL
descriptionThe remote host is running OpenFTPD - an FTP server designed to help file sharing (aka
last seen2020-06-02
modified2004-08-01
plugin id14179
published2004-08-01
reporterThis script is Copyright (C) 2004-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/14179
titleOpenFTPD SITE MSG FTP Command Format String
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
 script_id(14179);
 script_version("1.20");
 script_cve_id("CVE-2004-2523");
 script_bugtraq_id(10830);

 script_name(english:"OpenFTPD SITE MSG FTP Command Format String");

 script_set_attribute(attribute:"synopsis", value:
"The remote FTP server may be vulnerable to a format string attack." );
 script_set_attribute(attribute:"description", value:
"The remote host is running OpenFTPD - an FTP server designed to help
file sharing (aka 'warez').  Some versions of this server are
vulnerable to a remote format string attack that could allow an
authenticated attacker to execute arbitrary code on the remote host. 

Note that Nessus did not actually check for this flaw, so this might
be a false positive." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Aug/21" );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Jul/361" );
 script_set_attribute(attribute:"solution", value:
"Disable the remote service." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2004/08/01");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/07/22");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:openftpd:openftpd_ftp_server");
script_end_attributes();

 
 script_summary(english:"Determines the presence of OpenFTPD");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2004-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_family(english:"FTP");
 script_dependencies("ftpserver_detect_type_nd_version.nasl");
 script_require_ports(21, "Services/ftp");
 exit(0);
}


include("ftp_func.inc");

port = get_ftp_port(default: 21);
banner = get_ftp_banner(port:port);
if ( ! banner ) exit(1);

#
# We only check for the banner :
# - Most (all) OpenFTPD server do not accept anonymous connections
# - The use of OpenFTPD is not encouraged in a corporation environment
#
if ( egrep(pattern:"^220 OpenFTPD server", string:banner ) )
	security_warning(port);