CVE-2004-2523
published 2004-12-31CVE-2004-2523: Format string vulnerability in the msg command (cat_message function in msg.c) in OpenFTPD 0.30.2 and earlier allows remote authenticated users to execute…
PriorityP432medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
5.40%
91.7th percentile
Format string vulnerability in the msg command (cat_message function in msg.c) in OpenFTPD 0.30.2 and earlier allows remote authenticated users to execute arbitrary code via format string specifiers in the message argument.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openftpd | openftpd_ftp_server | <= 0.30.2 | — |
| openftpd | openftpd_ftp_server | — | — |
| openftpd | openftpd_ftp_server | — | — |
| openftpd | openftpd_ftp_server | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OpenFTPd 0.30.1 - message system Remote Shell
exploitdb·2004-08-04
CVE-2004-2523 OpenFTPd 0.30.1 - message system Remote Shell
OpenFTPd 0.30.1 - message system Remote Shell
---
/*
* shouts to mitakeet :D
*
* exploit for openftpd format string bug. tested on most current version only.
* -infamous42md AT hotpop DOT com is real email
*
* only tricky part is find a place to stick the shell, as there isn't enough
* room to send it with the format string. thankfully when using the 'site msg'
* commands, all of the args to command are passed directly through to the msg
* program. so when we tell ftpd to read messages with 'site msg read X', we
* pass the shellcode as X. the jumpslot for fclose() gets hijacked, and the
* retaddr lies early in stack, it's argv[3].
* no values are hardcoded into sploit, all come from command line, this works
* for me on slack 9:
*
* [n00b localho outernet] ./openf -u root -p "" -l 0x0804d
Exploit-DB
OpenFTPd 0.30.2 - Remote Overflow
exploitdb·2004-08-03
CVE-2004-2523 OpenFTPd 0.30.2 - Remote Overflow
OpenFTPd 0.30.2 - Remote Overflow
---
/***********************************************************
* hoagie_openftpd.c
* LINUX/X86 OPENFTPD REMOTE EXLPOIT (: jmp *0x804db90
* ^^^^^^^^^
* the first one
* (gdb) break main
* Breakpoint 1 at 0x804bd05
* (gdb) r
* Starting program: /home/andi/openftpd/bin/msg
* [Thread debugging using libthread_db enabled]
* [New Thread 16384 (LWP 29479)]
* [Switching to Thread 16384 (LWP 29479)]
*
* Breakpoint 1, 0x0804bd05 in main ()
* (gdb) x/i system
* 0x40071c40 : push %ebp
* ^^^^^^^^^^
* the second addresss
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
* CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
* DAMAGE DONE USING THIS PROGRAM.
*
* VOID.AT Security
* [email protected]
* http://www.void.at
*
***************************************
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2004-07/0350.htmlhttp://archives.neohapsis.com/archives/bugtraq/2004-08/0017.htmlhttp://secunia.com/advisories/12174http://securitytracker.com/id?1010823http://www.openftpd.org:9673/openftpdhttp://www.osvdb.org/8261http://www.securityfocus.com/bid/10830https://exchange.xforce.ibmcloud.com/vulnerabilities/16843http://archives.neohapsis.com/archives/bugtraq/2004-07/0350.htmlhttp://archives.neohapsis.com/archives/bugtraq/2004-08/0017.htmlhttp://secunia.com/advisories/12174http://securitytracker.com/id?1010823http://www.openftpd.org:9673/openftpdhttp://www.osvdb.org/8261http://www.securityfocus.com/bid/10830https://exchange.xforce.ibmcloud.com/vulnerabilities/16843
2004-12-31
Published