|
|
>> ProFTPD "sreplace()" and "cmd_loop()" Code Execution and DoS Vulnerabilities
|
Title : ProFTPD "sreplace()" and "cmd_loop()" Code Execution and DoS Vulnerabilities
VUPEN ID : VUPEN/ADV-2006-4451
CVE ID : CVE-2006-5815
Rated as : High Risk 
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-11-10
|
Two vulnerabilities have been identified in ProFTPD, which could be exploited by attackers to cause a denial of service or execute arbitrary commands.
The first flaw is due to a buffer overflow error in the "cmd_loop()" function [main.c] where the "cmd_buf_size" size of the buffer used to handle FTP commands sent by clients is not properly set to the size configured via the "CommandBufferSize" directive, which could be exploited by attackers to crash a vulnerable application via a specially crafted FTP command.
The second issue is due to a buffer overflow error in the "sreplace() " [support.c] function when processing malformed requests, which could be exploited by a remote attacker to execute arbitrary commands with elevated privileges.
Affected Products
ProFTPD version 1.3.0 and prior
Solution
The first issue has been fixed in CVS :
http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.293&sortby=date
The second issue has been fixed in version 1.3.0a :
http://proftpd.org/download.html
References
http://www.vupen.com/english/advisories/2006/4451
http://bugs.proftpd.org/show_bug.cgi?id=2858
Credits
Vulnerabilities reported by the vendor and Evgeny Legerov
ChangeLog
2006-11-10 : Initial release
2006-11-22 : Updated Description
2006-11-27 : Updated Solution
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
