ProFTPD SReplace远程单字节溢出漏洞-一一网

漏洞信息详情

ProFTPD SReplace远程单字节溢出漏洞

CNNVD编号：CNNVD-200611-144

危害等级：超危
CVE编号：
CVE-2006-5815
漏洞类型：

缓冲区溢出
发布时间：

2006-11-08
威胁类型：

远程
更新时间：

2007-08-21
厂商：

proftpd_project
漏洞来源：
Evgeny Legerov ala…

漏洞简介

ProFTPD是一款开放源代码FTP服务程序。

ProFTPD的src/support.c文件中的sreplace()函数在处理特制请求时存在单字节溢出漏洞。漏洞分析代码如下：

\”\”\”

char *sreplace(pool *p, char *s, …) {

va_list args;

char *m,*r,*src = s,*cp;

char **mptr,**rptr;

char *marr[33],*rarr[33];

char buf[PR_TUNABLE_PATH_MAX] = {\’\’＼0\’\’}, *pbuf = NULL;

size_t mlen = 0, rlen = 0, blen;

int dyn = TRUE;

cp = buf;

*cp = \’\’＼0\’\’;

memset(marr, \’\’＼0\’\’, sizeof(marr));

memset(rarr, \’\’＼0\’\’, sizeof(rarr));

blen = strlen(src) + 1;

va_start(args, s);

while ((m = va_arg(args, char *)) != NULL ＆＆ mlen ＜ sizeof(marr)-1) {

char *tmp = NULL;

size_t count = 0;

if ((r = va_arg(args, char *)) == NULL)

break;

/* Increase the length of the needed buffer by the difference between

* the given match and replacement strings, multiplied by the number

* of times the match string occurs in the source string.

tmp = strstr(s, m);

while (tmp) {

pr_signals_handle();

count++;

/* Be sure to increment the pointer returned by strstr(3), to

* advance past the beginning of the substring for which we are

* looking. Otherwise, we just loop endlessly, seeing the same

* value for tmp over and over.

tmp += strlen(m);

tmp = strstr(tmp, m);

}

/* We are only concerned about match/replacement strings that actually

* occur in the given string.

if (count) {

blen += count * (strlen(r) – strlen(m));

marr[mlen] = m;

rarr[mlen++] = r;

}

va_end(args);

/* Try to handle large buffer situations (i.e. escaping of

* PR_TUNABLE_PATH_MAX

* (＞2048) correctly, but do not allow very big buffer sizes, that may

* be dangerous (BUFSIZ may be defined in stdio.h) in some library

* functions.

＃ifndef BUFSIZ

＃ define BUFSIZ 8192

＃endif

if (blen ＜ BUFSIZ)

[1] cp = pbuf = (char *) pcalloc(p, ++blen); if (!pbuf) {

[2] cp = pbuf = buf;

dyn = FALSE;

blen = sizeof(buf);

}

while (*src) {

for (mptr = marr, rptr = rarr; *mptr; mptr++, rptr++) {

mlen = strlen(*mptr);

rlen = strlen(*rptr);

if (strncmp(src, *mptr, mlen) == 0) {

[3] sstrncpy(cp, *rptr, blen – strlen(pbuf));

if (((cp + rlen) – pbuf + 1) ＞ blen) {

pr_log_pri(PR_LOG_ERR,

\”WARNING： attempt to overflow internal ProFTPD buffers\”);

cp = pbuf + blen – 1;

goto done;

} else {

cp += rlen;

}

src += mlen;

break;

}

if (!*mptr) {

[4] if ((cp – pbuf + 1) ＞ blen) {

pr_log_pri(PR_LOG_ERR,

\”WARNING： attempt to overflow internal ProFTPD buffers\”);

cp = pbuf + blen – 1;

}

*cp++ = *src++;

}

done：

*cp = \’\’＼0\’\’;

if (dyn)

return pbuf;

return pstrdup(p, buf);

}

\”\”\”

blen的值是可控的，如果将其设置为小于BUFSIZ的值的话(见[1])就可以触发堆溢出，否则可以触发栈溢出(见[2])。

由于在[4]行的错误计算，攻击者可以控制pbuf最后的空字节，这样strlen(pbuf)就会大于blen。由于第三个参数为负数时sstrncpy函数仍可运行，因此[3]行的代码会使用攻击者的数据覆盖pbuf缓冲区。

目前已知至少有两种攻击方式：

1. MKD命令

2. pr_display_file

漏洞公告

目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接：

http://www.debian.org/security/2005/dsa-1218

参考网址

来源:bugzilla.redhat.com

链接:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820

来源: XF

名称: proftpd-code-execution(30147)

链接:http://xforce.iss.net/xforce/xfdb/30147

来源: TRUSTIX

名称: 2006-0070

链接:http://www.trustix.org/errata/2006/0070

来源: TRUSTIX

名称: 2006-0066

链接:http://www.trustix.org/errata/2006/0066/

来源: BID

名称: 20992

链接:http://www.securityfocus.com/bid/20992

来源: BUGTRAQ

名称: 20061127 CVE-2006-5815: remote code execution in ProFTPD

链接:http://www.securityfocus.com/archive/1/archive/1/452760/100/200/threaded

来源: OPENPKG

名称: OpenPKG-SA-2006.035

链接:http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.035-proftpd.html

来源: MANDRIVA

名称: MDKSA-2006:217-1

链接:http://www.mandriva.com/security/advisories?name=MDKSA-2006:217-1

来源: MANDRIVA

名称: MDKSA-2006:217

链接:http://www.mandriva.com/security/advisories?name=MDKSA-2006:217

来源: GENTOO

名称: GLSA-200611-26

链接:http://www.gentoo.org/security/en/glsa/glsa-200611-26.xml

来源: VUPEN

名称: ADV-2006-4451

链接:http://www.frsirt.com/english/advisories/2006/4451

来源: DEBIAN

名称: DSA-1222

链接:http://www.debian.org/security/2006/dsa-1222

来源: SLACKWARE

名称: SSA:2006-335-02

链接:http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.502491

来源: SECTRACK

名称: 1017167

链接:http://securitytracker.com/id?1017167

来源: SECUNIA

名称: 23207

链接:http://secunia.com/advisories/23207

来源: SECUNIA

名称: 23184

链接:http://secunia.com/advisories/23184

来源: SECUNIA

名称: 23179

链接:http://secunia.com/advisories/23179

来源: SECUNIA

名称: 23174

链接:http://secunia.com/advisories/23174

来源: SECUNIA

名称: 23125

链接:http://secunia.com/advisories/23125

来源: SECUNIA

名称: 23069

链接:http://secunia.com/advisories/23069

来源: SECUNIA

名称: 23000

链接:http://secunia.com/advisories/23000

来源: SECUNIA

名称: 22821

链接:http://secunia.com/advisories/22821

来源: SECUNIA

名称: 22803

链接:http://secunia.com/advisories/22803

来源: MANDRIVA

名称: MDKSA-2006:217

链接:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:217

来源: bugs.proftpd.org

链接:http://bugs.proftpd.org/show_bug.cgi?id=2858

受影响实体

Proftpd_project Proftpd:1.3.0

更多>>

文章版权归作者所有，未经允许请勿转载。

THE END

信息安全

EasyVista授权问题漏洞

搭建next前台开发环境并按需引入antd

Alt-N MDaemon Mail Server DoS服务器

Java Communications link failure｜ Java Debug 笔记

SmarterMail ‘Body’字段多个跨站脚本漏洞

KDE2 klprfax_filter以不安全的方式创建临时文件漏洞

ProFTPD SReplace远程单字节溢出漏洞

漏洞信息详情

ProFTPD SReplace远程单字节溢出漏洞

漏洞简介

漏洞公告

参考网址

受影响实体