Search the archives!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] ProFTPD mod_tls pre-authentication buffer overflow
- From: research at gleg.net (research at gleg.net)
- Subject: [Full-disclosure] ProFTPD mod_tls pre-authentication buffer overflow
- Date: Wed, 29 Nov 2006 17:22:30 +0300
Hi, > Hi > > Can i get this straight, vendor was notified on the 16th of November, > but this vulnerability has been part of VulnDisco since Jan 2006? Is > that actually correct? This was known about ten months ago but not > disclosed until now? Absolutely correct. ProFTPD sreplace bug has been part of VulnDisco since Dec, 2005. > Mark > > research at gleg.net wrote: > > Name: ProFTPD mod_tls pre-authentication buffer overflow > > Vendor: http://www.proftpd.org > > Release date: 28 Nov, 2006 > > Author: Evgeny Legerov <research at gleg.net> > > > > I. DESCRIPTION > > > > A remote buffer overflow vulnerability has been found in mod_tls module of > > ProFTPD server. > > The vulnerability could allow a remote un-authenticated attacker to gain > root > > privileges. > > > > II. DETAILS > > > > Let's have a look at the code (ProFTPD version 1.3.0): > > > > contrib/mod_tls.c: > > """ > > static char *tls_x509_name_oneline(X509_NAME *x509_name) { > > static char buf[256] = {'\0'}; > > > > /* If we are using OpenSSL 0.9.6 or newer, we want to use > > * X509_NAME_print_ex() > > * instead of X509_NAME_oneline(). > > */ > > > > #if OPENSSL_VERSION_NUMBER < 0x000906000L > > memset(&buf, '\0', sizeof(buf)); > > return X509_NAME_oneline(x509_name, buf, sizeof(buf)); > > #else > > > > /* Sigh...do it the hard way. */ > > BIO *mem = BIO_new(BIO_s_mem()); > > char *data = NULL; > > long datalen = 0; > > int ok; > > > > if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE))) > > [1] datalen = BIO_get_mem_data(mem, &data); > > > > if (data) { > > memset(&buf, '\0', sizeof(buf)); > > [2] memcpy(buf, data, datalen); > > buf[datalen] = '\0'; > > buf[sizeof(buf)-1] = '\0'; > > > > BIO_free(mem); > > return buf; > > } > > > > BIO_free(mem); > > return NULL; > > #endif /* OPENSSL_VERSION_NUMBER >= 0x000906000 */ > > } > > """ > > > > The value of 'datalen' parameter is fully controlled by us (see [1]). > > On line [2] we will be able to overflow the 'buf' buffer with our data. > > > > III. VENDOR RESPONSE > > > > Vendor has been notified on Nov 16, 2006 but ProFTPD 1.3.0a is still > vulnerable. > > > > IV. CREDIT > > > > Discovered by Evgeny Legerov. > > > > The vulnerability is a part of VulnDisco Pack Professional since Jan, 2006. > > > > > > > > > > > > > -- > Mark Wadham > e: mark.wadham at areti.net t: +44 (0)20 8315 5800 f: +44 (0)20 8315 5801 > Areti Internet Ltd., http://www.areti.net/ > > =================================================================== > Areti Internet Ltd: BS EN ISO 9001:2000 > Providing corporate Internet solutions for more than 10 years. > =================================================================== > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > Regards, Evgeny Legerov
- References:
- [Full-disclosure] ProFTPD mod_tls pre-authentication buffer overflow
- From: research at gleg.net
- [Full-disclosure] ProFTPD mod_tls pre-authentication buffer overflow
- From: Mark Wadham
- [Full-disclosure] ProFTPD mod_tls pre-authentication buffer overflow
- Prev by Date: [Full-disclosure] Secunia Research: Borland Products idsql32.dll Buffer Overflow Vulnerability
- Next by Date: [Full-disclosure] iDefense Security Advisory 11.29.06: Horde Kronolith Arbitrary Local File Inclusion Vulnerability
- Previous by thread: [Full-disclosure] ProFTPD mod_tls pre-authentication buffer overflow
- Next by thread: [Full-disclosure] Sasser
- Index(es):