/ Bug 2858 – CVE-2006-5815: remote code execution in ProFTPD
First Last Prev Next    No search results available
Bug 2858 - CVE-2006-5815: remote code execution in ProFTPD
: CVE-2006-5815: remote code execution in ProFTPD
Status: CLOSED FIXED
Product: ProFTPD
core
: CVS
: All All
: P1 blocker
Assigned To: proftpd development group
:
:
:
:
  Show dependency treegraph
 
Reported: 2006-11-27 09:48 UTC by John Morrissey
Modified: 2008-02-18 14:19 UTC (History)
0 users (show)

See Also:

Attachments
Fix for CVE-2006-5815 (2.05 KB, patch)
2006-11-27 09:52 UTC, John Morrissey 		Details
fdsfdsfds (3.56 KB, patch)
2008-02-18 13:32 UTC, Derek Hval 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Morrissey 2006-11-27 09:48:48 UTC 
=======
Summary
=======

On 6 November 2006, Evgeny Legerov <admin@gleg.net> posted to BUGTRAQ[1],
announcing his commercial VulnDisco Pack for Metasploit 2.7[2]. One of the
included exploits, vd_proftpd.pm, takes advantage of an off-by-one string
manipulation flaw in ProFTPD's sreplace() function to allow a remote
attacker to execute arbitrary code.

This vulnerabillity, identified as CVE-2006-5815[3], is believed to affect
all versions of ProFTPD up to and including 1.3.0, but exploitability has
only been demonstrated with version 1.3.0rc3. The demonstrated exploit
relies on write access via FTP for exploitability, but other attack vectors
may make exploitation of a read-only FTP server possible.

This vulnerability has been patched[4] in the latest release of ProFTPD,
1.3.0a, which is available from the ProFTPD web site,
http://www.proftpd.org/. Mitigation techniques have also been developed for
use until a patched version can be installed.


========
Timeline
========

10 November - security@proftpd.org receives a message from a ProFTPD
              user inquiring about a fix for the vulnerability announced
              in GLEG's product.
10 November - ProFTPD core team attempts contact with admin@gleg.net.
15 November - Second contact attempt with admin@gleg.net.
16 November - Contact established, vulnerability details transferred.
20 November - Disclosure date coordinated.
27 November - Coordinated disclosure.

Given the Thanksgiving holiday, the ProFTPD core team chose to perform a
coordinated disclosure the following Monday, to allow affected users and
vendors ample opportunity to perform patching operations.

Unfortunately, erroneous information on the location and nature of this flaw
has disseminated from unofficial sources. Some vendors have already released
patches that attempt to address CVE-2006-5815 based on reports that a bug in
ProFTPD's CommandBufferSize processing is its cause. To the best of the core
team's knowledge, the CommandBufferSize bug in ProFTPD is not exploitable.

Vendors are welcomed and encouraged to contact security@proftpd.org to
exchange information on announced vulnerabilities, and we endeavor to work
to the best of our abilities with those contacting the core team. Given that
we had no information about this vulnerability until several days after it
was published and a CVE issued, we attempted to address it to the best of 
our abilities. Constructive criticism is welcome on how to better handle 
similar situations should they arise in the future.


==========
Mitigation
==========

Some users may not be able to immediately patch their ProFTPD installations.
Until they are able to install a patched version, the following steps can
mitigate the impact of this flaw:

- Remove DisplayConnect, DisplayLogin, DisplayChdir, DisplayFirstChdir,   
  DisplayFileTransfer, AccessDenyMsg, and WrapDenyMsg directives from your
  ProFTPD configuration.

- Avoid using variable substitutions/magic cookies/%-style escapes in
  /etc/shutmsg, when specifying a warning message with the ftpshut(8)
  command, or in RewriteRule directives.

- Add a DenyFilter directive to your configuration to limit FTP command
  arguments to only characters that you require. For example: 'DenyFilter
  [^A-Za-z0-9_.-]' limits FTP command arguments (such as filenames) to
  alphanumeric characters, the underscore, period, and dash.


[1] http://seclists.org/bugtraq/2006/Nov/0094.html
[2] http://gleg.net/vulndisco_meta.shtml
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815
[4]
http://proftp.cvs.sourceforge.net/proftp/proftpd/src/support.c?r1=1.79&r2=1.80&sortby=date
Comment 1 John Morrissey 2006-11-27 09:52:22 UTC 
Created attachment 2547 [details]
Fix for CVE-2006-5815

Patch committed.
Comment 2 Derek Hval 2008-02-18 13:32:28 UTC 
Created attachment 2785 [details]
fdsfdsfds
Comment 3 Derek Hval 2008-02-18 13:35:45 UTC 
Comment on attachment 2785 [details]
fdsfdsfds 

12213443
Comment 4 Derek Hval 2008-02-18 13:40:16 UTC 
Comment on attachment 2785 [details]
fdsfdsfds 

<U style="DISPLAY: none"><a href="http://nola500.org">big tits</a> big tis and
free pussy </U>
jjhghjgjhg
Comment 5 Derek Hval 2008-02-18 13:57:08 UTC 
Comment on attachment 2785 [details]
fdsfdsfds 

rrfffrrff
Comment 6 Derek Hval 2008-02-18 14:02:48 UTC 
(In reply to comment #1)
> Created an attachment (id=2547) [details]
> Fix for CVE-2006-5815
> Patch committed.

(In reply to comment #2)
> Created an attachment (id=2785) [details]
> 

(In reply to comment #2)
> Created an attachment (id=2785) [details]
>
Comment 7 Derek Hval 2008-02-18 14:16:06 UTC 
Comment on attachment 2785 [details]
fdsfdsfds 

111
Comment 8 Derek Hval 2008-02-18 14:19:52 UTC 
Comment on attachment 2785 [details]
fdsfdsfds 

333
First Last Prev Next    No search results available