Bugtraq mailing list archives
CVE-2006-5815: remote code execution in ProFTPD
From: John Morrissey <jwm () proftpd org>
Date: Mon, 27 Nov 2006 11:37:30 -0500
======= Summary ======= On 6 November 2006, Evgeny Legerov <admin () gleg net> posted to BUGTRAQ[1], announcing his commercial VulnDisco Pack for Metasploit 2.7[2]. One of the included exploits, vd_proftpd.pm, takes advantage of an off-by-one string manipulation flaw in ProFTPD's sreplace() function to allow a remote attacker to execute arbitrary code. This vulnerabillity, identified as CVE-2006-5815[3], is believed to affect all versions of ProFTPD up to and including 1.3.0, but exploitability has only been demonstrated with version 1.3.0rc3. The demonstrated exploit relies on write access via FTP for exploitability, but other attack vectors may make exploitation of a read-only FTP server possible. This vulnerability has been patched[4] in the latest release of ProFTPD, 1.3.0a, which is available from the ProFTPD web site, http://www.proftpd.org/. Mitigation techniques have also been developed for use until a patched version can be installed. ======== Timeline ======== 10 November - security () proftpd org receives a message from a ProFTPD user inquiring about a fix for the vulnerability announced in GLEG's product. 10 November - ProFTPD core team attempts contact with admin () gleg net. 15 November - Second contact attempt with admin () gleg net. 16 November - Contact established, vulnerability details transferred. 20 November - Disclosure date coordinated. 27 November - Coordinated disclosure. Given the Thanksgiving holiday, the ProFTPD core team chose to perform a coordinated disclosure the following Monday, to allow affected users and vendors ample opportunity to perform patching operations. Unfortunately, erroneous information on the location and nature of this flaw has disseminated from unofficial sources. Some vendors have already released patches that attempt to address CVE-2006-5815 based on reports that a bug in ProFTPD's CommandBufferSize processing is its cause. To the best of the core team's knowledge, the CommandBufferSize bug in ProFTPD is not exploitable. Vendors are welcomed and encouraged to contact security () proftpd org to exchange information on announced vulnerabilities, and we endeavor to work to the best of our abilities with those contacting the core team. Given that we had no information about this vulnerability until several days after it was published and a CVE issued, we attempted to address it to the best of our abilities. Constructive criticism is welcome on how to better handle similar situations should they arise in the future. ========== Mitigation ========== Some users may not be able to immediately patch their ProFTPD installations. Until they are able to install a patched version, the following steps can mitigate the impact of this flaw: - Remove DisplayConnect, DisplayLogin, DisplayChdir, DisplayFirstChdir, DisplayFileTransfer, AccessDenyMsg, and WrapDenyMsg directives from your ProFTPD configuration. - Avoid using variable substitutions/magic cookies/%-style escapes in /etc/shutmsg, when specifying a warning message with the ftpshut(8) command, or in RewriteRule directives. - Add a DenyFilter directive to your configuration to limit FTP command arguments to only characters that you require. For example: 'DenyFilter [^A-Za-z0-9_.-]' limits FTP command arguments (such as filenames) to alphanumeric characters, the underscore, period, and dash. [1] http://seclists.org/bugtraq/2006/Nov/0094.html [2] http://gleg.net/vulndisco_meta.shtml [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815 [4] http://proftp.cvs.sourceforge.net/proftp/proftpd/src/support.c?r1=1.79&r2=1.80&sortby=date
Attachment:
_bin
Description:
Current thread:
- CVE-2006-5815: remote code execution in ProFTPD John Morrissey (Nov 27)