Vulnerabilities > CVE-2004-2523 - Unspecified vulnerability in Openftpd FTP Server 0.29.4/0.30/0.30.1

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
openftpd
nessus
exploit available
NVD
Published: 2004-12-31
Updated: 2024-11-20

Summary

Format string vulnerability in the msg command (cat_message function in msg.c) in OpenFTPD 0.30.2 and earlier allows remote authenticated users to execute arbitrary code via format string specifiers in the message argument.

Vulnerable Configurations

Part Description Count
Application
Openftpd
4

Exploit-Db

  • descriptionOpenFTPD <= 0.30.1 (message system) Remote Shell Exploit. CVE-2004-2523. Remote exploit for linux platform
    idEDB-ID:373
    last seen2016-01-31
    modified2004-08-04
    published2004-08-04
    reporterinfamous41md
    sourcehttps://www.exploit-db.com/download/373/
    titleOpenFTPD <= 0.30.1 message system Remote Shell Exploit
  • descriptionOpenFTPD (<= 0.30.2) Remote Exploit. CVE-2004-2523. Remote exploit for linux platform
    idEDB-ID:372
    last seen2016-01-31
    modified2004-08-03
    published2004-08-03
    reporterAndi
    sourcehttps://www.exploit-db.com/download/372/
    titleOpenFTPD <= 0.30.2 - Remote Exploit

Nessus

NASL familyFTP
NASL idOPENFTPD_DETECTION.NASL
descriptionThe remote host is running OpenFTPD - an FTP server designed to help file sharing (aka
last seen2020-06-02
modified2004-08-01
plugin id14179
published2004-08-01
reporterThis script is Copyright (C) 2004-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/14179
titleOpenFTPD SITE MSG FTP Command Format String
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
 script_id(14179);
 script_version("1.20");
 script_cve_id("CVE-2004-2523");
 script_bugtraq_id(10830);

 script_name(english:"OpenFTPD SITE MSG FTP Command Format String");

 script_set_attribute(attribute:"synopsis", value:
"The remote FTP server may be vulnerable to a format string attack." );
 script_set_attribute(attribute:"description", value:
"The remote host is running OpenFTPD - an FTP server designed to help
file sharing (aka 'warez').  Some versions of this server are
vulnerable to a remote format string attack that could allow an
authenticated attacker to execute arbitrary code on the remote host. 

Note that Nessus did not actually check for this flaw, so this might
be a false positive." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Aug/21" );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Jul/361" );
 script_set_attribute(attribute:"solution", value:
"Disable the remote service." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2004/08/01");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/07/22");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:openftpd:openftpd_ftp_server");
script_end_attributes();

 
 script_summary(english:"Determines the presence of OpenFTPD");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2004-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_family(english:"FTP");
 script_dependencies("ftpserver_detect_type_nd_version.nasl");
 script_require_ports(21, "Services/ftp");
 exit(0);
}


include("ftp_func.inc");

port = get_ftp_port(default: 21);
banner = get_ftp_banner(port:port);
if ( ! banner ) exit(1);

#
# We only check for the banner :
# - Most (all) OpenFTPD server do not accept anonymous connections
# - The use of OpenFTPD is not encouraged in a corporation environment
#
if ( egrep(pattern:"^220 OpenFTPD server", string:banner ) )
	security_warning(port);

References