Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
ProFTPD mod_tls pre-authentication buffer overflow
Nov 28 2006 09:13AM
research gleg net
(1 replies)
Name: ProFTPD mod_tls pre-authentication buffer overflow
Vendor: http://www.proftpd.org
Release date: 28 Nov, 2006
Author: Evgeny Legerov <research (at) gleg (dot) net [email concealed]>
I. DESCRIPTION
A remote buffer overflow vulnerability has been found in mod_tls module of
ProFTPD server.
The vulnerability could allow a remote un-authenticated attacker to gain root
privileges.
II. DETAILS
Let's have a look at the code (ProFTPD version 1.3.0):
contrib/mod_tls.c:
"""
static char *tls_x509_name_oneline(X509_NAME *x509_name) {
static char buf[256] = {'\0'};
/* If we are using OpenSSL 0.9.6 or newer, we want to use
* X509_NAME_print_ex()
* instead of X509_NAME_oneline().
*/
#if OPENSSL_VERSION_NUMBER < 0x000906000L
memset(&buf, '\0', sizeof(buf));
return X509_NAME_oneline(x509_name, buf, sizeof(buf));
#else
/* Sigh...do it the hard way. */
BIO *mem = BIO_new(BIO_s_mem());
char *data = NULL;
long datalen = 0;
int ok;
if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE)))
[1] datalen = BIO_get_mem_data(mem, &data);
if (data) {
memset(&buf, '\0', sizeof(buf));
[2] memcpy(buf, data, datalen);
buf[datalen] = '\0';
buf[sizeof(buf)-1] = '\0';
BIO_free(mem);
return buf;
}
BIO_free(mem);
return NULL;
#endif /* OPENSSL_VERSION_NUMBER >= 0x000906000 */
}
"""
The value of 'datalen' parameter is fully controlled by us (see [1]).
On line [2] we will be able to overflow the 'buf' buffer with our data.
III. VENDOR RESPONSE
Vendor has been notified on Nov 16, 2006 but ProFTPD 1.3.0a is still vulnerable.
IV. CREDIT
Discovered by Evgeny Legerov.
The vulnerability is a part of VulnDisco Pack Professional since Jan, 2006.
[ reply ]
Re: ProFTPD mod_tls pre-authentication buffer overflow
Nov 29 2006 10:39AM
Mark Wadham (mark wadham areti net)
Privacy Statement
Copyright 2009, SecurityFocus
Vendor: http://www.proftpd.org
Release date: 28 Nov, 2006
Author: Evgeny Legerov <research (at) gleg (dot) net [email concealed]>
I. DESCRIPTION
A remote buffer overflow vulnerability has been found in mod_tls module of
ProFTPD server.
The vulnerability could allow a remote un-authenticated attacker to gain root
privileges.
II. DETAILS
Let's have a look at the code (ProFTPD version 1.3.0):
contrib/mod_tls.c:
"""
static char *tls_x509_name_oneline(X509_NAME *x509_name) {
static char buf[256] = {'\0'};
/* If we are using OpenSSL 0.9.6 or newer, we want to use
* X509_NAME_print_ex()
* instead of X509_NAME_oneline().
*/
#if OPENSSL_VERSION_NUMBER < 0x000906000L
memset(&buf, '\0', sizeof(buf));
return X509_NAME_oneline(x509_name, buf, sizeof(buf));
#else
/* Sigh...do it the hard way. */
BIO *mem = BIO_new(BIO_s_mem());
char *data = NULL;
long datalen = 0;
int ok;
if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE)))
[1] datalen = BIO_get_mem_data(mem, &data);
if (data) {
memset(&buf, '\0', sizeof(buf));
[2] memcpy(buf, data, datalen);
buf[datalen] = '\0';
buf[sizeof(buf)-1] = '\0';
BIO_free(mem);
return buf;
}
BIO_free(mem);
return NULL;
#endif /* OPENSSL_VERSION_NUMBER >= 0x000906000 */
}
"""
The value of 'datalen' parameter is fully controlled by us (see [1]).
On line [2] we will be able to overflow the 'buf' buffer with our data.
III. VENDOR RESPONSE
Vendor has been notified on Nov 16, 2006 but ProFTPD 1.3.0a is still vulnerable.
IV. CREDIT
Discovered by Evgeny Legerov.
The vulnerability is a part of VulnDisco Pack Professional since Jan, 2006.
[ reply ]