ports/105510: security: ftp/proftpd "CommandBufferSize" Directive Remote Code Execution Vulnerability
Alex Samorukov
samm at os2.kiev.ua
Tue Nov 14 07:00:06 UTC 2006
>Number: 105510
>Category: ports
>Synopsis: security: ftp/proftpd "CommandBufferSize" Directive Remote Code Execution Vulnerability
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Nov 14 07:00:04 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Alex Samorukov
>Release: FreeBSD 6.1-RELEASE i386
>Organization:
Shevchenko Didkovskiy and Partners
>Environment:
System: FreeBSD 6.1-RELEASE #2: Wed May 17 22:22:18 EEST 2006
root at samm.local:/usr/obj/usr/src/sys/SAMMKRNL
>Description:
A vulnerability has been identified in ProFTPD, which could be exploited by attackers to cause a denial of service or execute arbitrary commands. This flaw is due to a buffer overflow error in the "main.c" file where the "cmd_buf_size" size of the buffer used to handle FTP commands sent by clients is not properly set to the size configured via the "CommandBufferSize" directive, which could be exploited by attackers to compromise a vulnerable server via a specially crafted FTP command.
I backported fix from http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.293&sortby=date
>How-To-Repeat:
see http://www.frsirt.com/english/advisories/2006/4451
>Fix:
--- /usr/ports/ftp/proftpd/Makefile Tue Nov 14 08:33:35 2006
+++ /usr/home/samm/tmp/proftpd/Makefile Tue Nov 14 08:44:21 2006
@@ -7,7 +7,7 @@
PORTNAME= proftpd
DISTVERSION= 1.3.0
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= ftp
MASTER_SITES= ftp://ftp.proftpd.org/distrib/source/ \
ftp://ftp.fastorama.com/mirrors/ftp.proftpd.org/distrib/source/ \
diff -ruN --exclude=CVS /usr/ports/ftp/proftpd/files/patch-main.c /usr/home/samm/tmp/proftpd/files/patch-main.c
--- /usr/ports/ftp/proftpd/files/patch-main.c Thu Jan 1 03:00:00 1970
+++ /usr/home/samm/tmp/proftpd/files/patch-main.c Tue Nov 14 08:47:53 2006
@@ -0,0 +1,46 @@
+--- src/main.c.orig Wed Mar 15 21:41:01 2006
++++ src/main.c Tue Nov 14 08:47:12 2006
+@@ -116,6 +116,8 @@
+
+ static char sbuf[PR_TUNABLE_BUFFER_SIZE] = {'\0'};
+
++#define PR_DEFAULT_CMD_BUFSZ 512
++
+ static char **Argv = NULL;
+ static char *LastArgv = NULL;
+ static const char *PidPath = PR_PID_FILE_PATH;
+@@ -820,16 +822,25 @@
+ pr_timer_reset(TIMER_IDLE, NULL);
+
+ if (cmd_buf_size == -1) {
+- long *buf_size = get_param_ptr(main_server->conf,
+- "CommandBufferSize", FALSE);
+-
+- if (buf_size == NULL || *buf_size <= 0)
+- cmd_buf_size = 512;
++ int *bufsz = get_param_ptr(main_server->conf, "CommandBufferSize",
++ FALSE);
+
+- else if (*buf_size + 1 > sizeof(buf)) {
+- pr_log_pri(PR_LOG_WARNING, "Invalid CommandBufferSize size given. "
+- "Resetting to 512.");
+- cmd_buf_size = 512;
++ if (bufsz == NULL ||
++ *bufsz <= 0) {
++ pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) "
++ "given, resetting to default buffer size (%u)",
++ *bufsz, (unsigned int) PR_DEFAULT_CMD_BUFSZ);
++ cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
++
++ } else if (*bufsz + 1 > sizeof(buf)) {
++ pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) "
++ "given, resetting to default buffer size (%u)",
++ *bufsz, (unsigned int) PR_DEFAULT_CMD_BUFSZ);
++ cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
++
++ } else {
++ pr_log_debug(DEBUG1, "setting CommandBufferSize to %d", *bufsz);
++ cmd_buf_size = (long) *bufsz;
+ }
+ }
+
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list