Vulnerabilities > CVE-2006-5815 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Proftpd Project Proftpd
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier allows remote attackers, probably authenticated, to cause a denial of service and execute arbitrary code, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit." An off-by-one string manipulation flaw in ProFTPD's sreplace() function exists allowing a remote attacker to execute arbitrary code.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
| description | ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux). CVE-2006-5815. Remote exploit for linux platform |
| id | EDB-ID:16852 |
| last seen | 2016-02-02 |
| modified | 2011-01-09 |
| published | 2011-01-09 |
| reporter | metasploit |
| source | https://www.exploit-db.com/download/16852/ |
| title | ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow Linux |
Metasploit
| description | This module exploits a stack-based buffer overflow in versions 1.2 through 1.3.0 of ProFTPD server. The vulnerability is within the "sreplace" function within the "src/support.c" file. The off-by-one heap overflow bug in the ProFTPD sreplace function has been discovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit this off-by-one bug via MKD command, but failed. We did not work on this bug since then. Actually, there are exists at least two bugs in sreplace function, one is the mentioned off-by-one heap overflow bug the other is a stack-based buffer overflow via 'sstrncpy(dst,src,negative argument)'. We were unable to reach the "sreplace" stack bug on ProFTPD 1.2.10 stable version, but the version 1.3.0rc3 introduced some interesting changes, among them: 1\. another (integer) overflow in sreplace! 2\. now it is possible to reach sreplace stack-based buffer overflow bug via the "pr_display_file" function! 3\. stupid '.message' file display bug So we decided to choose ProFTPD 1.3.0 as a target for our exploit. To reach the bug, you need to upload a specially created .message file to a writeable directory, then do "CWD " to trigger the invocation of sreplace function. Note that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message' file you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug. The exploit is a part of VulnDisco Pack since Dec 2005. |
| id | MSF:EXPLOIT/LINUX/FTP/PROFTP_SREPLACE |
| last seen | 2020-03-09 |
| modified | 2018-09-15 |
| published | 2011-01-09 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/ftp/proftp_sreplace.rb |
| title | ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux) |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1222.NASL description Due to technical problems yesterday last seen 2020-06-01 modified 2020-06-02 plugin id 23757 published 2006-12-04 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23757 title Debian DSA-1222-2 : proftpd - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1222. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(23757); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2006-5815", "CVE-2006-6170", "CVE-2006-6171"); script_xref(name:"DSA", value:"1222"); script_name(english:"Debian DSA-1222-2 : proftpd - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Due to technical problems yesterday's proftpd update lacked a build for the amd64 architecture, which is now available. For reference please find below the original advisory text : Several remote vulnerabilities have been discovered in the proftpd FTP daemon, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-5815 It was discovered that a buffer overflow in the sreplace() function may lead to denial of service and possibly the execution of arbitrary code. - CVE-2006-6170 It was discovered that a buffer overflow in the mod_tls addon module may lead to the execution of arbitrary code. - CVE-2006-6171 It was discovered that insufficient validation of FTP command buffer size limits may lead to denial of service. Due to unclear information this issue was already fixed in DSA-1218 as CVE-2006-5815." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=399070" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-5815" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-6170" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-6171" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-5815" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1222" ); script_set_attribute( attribute:"solution", value: "Upgrade the proftpd package. For the stable distribution (sarge) these problems have been fixed in version 1.2.10-15sarge3." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:proftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/04"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"proftpd", reference:"1.2.10-15sarge3")) flag++; if (deb_check(release:"3.1", prefix:"proftpd-common", reference:"1.2.10-15sarge3")) flag++; if (deb_check(release:"3.1", prefix:"proftpd-doc", reference:"1.2.10-15sarge3")) flag++; if (deb_check(release:"3.1", prefix:"proftpd-ldap", reference:"1.2.10-15sarge3")) flag++; if (deb_check(release:"3.1", prefix:"proftpd-mysql", reference:"1.2.10-15sarge3")) flag++; if (deb_check(release:"3.1", prefix:"proftpd-pgsql", reference:"1.2.10-15sarge3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2006-335-02.NASL description New proftpd packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 24660 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24660 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 8.1 / 9.0 / 9.1 : proftpd (SSA:2006-335-02) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2006-335-02. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(24660); script_version("1.16"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2006-5815", "CVE-2006-6170", "CVE-2006-6171"); script_bugtraq_id(20992); script_xref(name:"SSA", value:"2006-335-02"); script_name(english:"Slackware 10.0 / 10.1 / 10.2 / 11.0 / 8.1 / 9.0 / 9.1 : proftpd (SSA:2006-335-02)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New proftpd packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix security issues." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.502491 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?238e8a90" ); script_set_attribute( attribute:"solution", value:"Update the affected proftpd package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:proftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:11.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"8.1", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i386", pkgnum:"1_slack8.1")) flag++; if (slackware_check(osver:"9.0", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i386", pkgnum:"1_slack9.0")) flag++; if (slackware_check(osver:"9.1", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i486", pkgnum:"1_slack9.1")) flag++; if (slackware_check(osver:"10.0", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i486", pkgnum:"1_slack10.0")) flag++; if (slackware_check(osver:"10.1", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i486", pkgnum:"1_slack10.1")) flag++; if (slackware_check(osver:"10.2", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i486", pkgnum:"1_slack10.2")) flag++; if (slackware_check(osver:"11.0", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i486", pkgnum:"1_slack11.0")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200611-26.NASL description The remote host is affected by the vulnerability described in GLSA-200611-26 (ProFTPD: Remote execution of arbitrary code) Evgeny Legerov discovered a stack-based buffer overflow in the s_replace() function in support.c, as well as a buffer overflow in in the mod_tls module. Additionally, an off-by-two error related to the CommandBufferSize configuration directive was reported. Impact : An authenticated attacker could exploit the s_replace() vulnerability by uploading a crafted .message file or sending specially crafted commands to the server, possibly resulting in the execution of arbitrary code with the rights of the user running ProFTPD. An unauthenticated attacker could send specially crafted data to the server with mod_tls enabled which could result in the execution of arbitrary code with the rights of the user running ProFTPD. Finally, the off-by-two error related to the CommandBufferSize configuration directive was fixed - exploitability of this error is disputed. Note that the default configuration on Gentoo is to run ProFTPD as an unprivileged user, and has mod_tls disabled. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 23762 published 2006-12-04 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23762 title GLSA-200611-26 : ProFTPD: Remote execution of arbitrary code code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200611-26. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(23762); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-5815", "CVE-2006-6170", "CVE-2006-6171"); script_xref(name:"GLSA", value:"200611-26"); script_name(english:"GLSA-200611-26 : ProFTPD: Remote execution of arbitrary code"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200611-26 (ProFTPD: Remote execution of arbitrary code) Evgeny Legerov discovered a stack-based buffer overflow in the s_replace() function in support.c, as well as a buffer overflow in in the mod_tls module. Additionally, an off-by-two error related to the CommandBufferSize configuration directive was reported. Impact : An authenticated attacker could exploit the s_replace() vulnerability by uploading a crafted .message file or sending specially crafted commands to the server, possibly resulting in the execution of arbitrary code with the rights of the user running ProFTPD. An unauthenticated attacker could send specially crafted data to the server with mod_tls enabled which could result in the execution of arbitrary code with the rights of the user running ProFTPD. Finally, the off-by-two error related to the CommandBufferSize configuration directive was fixed - exploitability of this error is disputed. Note that the default configuration on Gentoo is to run ProFTPD as an unprivileged user, and has mod_tls disabled. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200611-26" ); script_set_attribute( attribute:"solution", value: "All ProFTPD users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-ftp/proftpd-1.3.0a'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:proftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/04"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-ftp/proftpd", unaffected:make_list("ge 1.3.0a"), vulnerable:make_list("lt 1.3.0a"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ProFTPD"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_3F851B2289FB11DBA937003048116330.NASL description The proftpd development team reports that several remote buffer overflows had been found in the proftpd server. last seen 2020-06-01 modified 2020-06-02 plugin id 23952 published 2006-12-30 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/23952 title FreeBSD : proftpd -- remote code execution vulnerabilities (3f851b22-89fb-11db-a937-003048116330) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(23952); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:38"); script_cve_id("CVE-2006-5815", "CVE-2006-6170"); script_name(english:"FreeBSD : proftpd -- remote code execution vulnerabilities (3f851b22-89fb-11db-a937-003048116330)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "The proftpd development team reports that several remote buffer overflows had been found in the proftpd server." ); # https://vuxml.freebsd.org/freebsd/3f851b22-89fb-11db-a937-003048116330.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5c484979" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:proftpd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:proftpd-mysql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/10"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"proftpd<1.3.0_5")) flag++; if (pkg_test(save_report:TRUE, pkg:"proftpd-mysql<1.3.0_5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-217.NASL description A stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier, allows remote attackers to cause a denial of service, as demonstrated by vd_proftpd.pm, a last seen 2020-06-01 modified 2020-06-02 plugin id 24602 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24602 title Mandrake Linux Security Advisory : proftpd (MDKSA-2006:217-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2006:217. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(24602); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2006-5815", "CVE-2006-6170", "CVE-2006-6171"); script_bugtraq_id(20992); script_xref(name:"MDKSA", value:"2006:217-1"); script_name(english:"Mandrake Linux Security Advisory : proftpd (MDKSA-2006:217-1)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier, allows remote attackers to cause a denial of service, as demonstrated by vd_proftpd.pm, a 'ProFTPD remote exploit.' (CVE-2006-5815) Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1.3.0a and earlier, and possibly other products, allows remote attackers to execute arbitrary code via a large data length argument, a different vulnerability than CVE-2006-5815. (CVE-2006-6170) ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when CommandBufferSize is specified in the configuration file, which leads to an off-by-two buffer underflow. NOTE: in November 2006, the role of CommandBufferSize was originally associated with CVE-2006-5815, but this was an error stemming from an initial vague disclosure. NOTE: ProFTPD developers dispute this issue, saying that the relevant memory location is overwritten by assignment before further use within the affected function, so this is not a vulnerability. (CVE-2006-6171) Packages have been patched to correct these issues. Update : The previous update incorrectly linked the vd_proftd.pm issue with the CommandBufferSize issue. These are two distinct issues and the previous update only addressed CommandBufferSize (CVE-2006-6171), and the mod_tls issue (CVE-2006-6170)." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-anonymous"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_autohost"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_case"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_clamav"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ctrls_admin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_facl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_gss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ifsession"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_load"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_file"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_sql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_radius"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ratio"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_rewrite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_shaper"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_site_misc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql_mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql_postgres"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_time"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_tls"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_wrap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_wrap_file"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_wrap_sql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2006.0", reference:"proftpd-1.2.10-13.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"proftpd-anonymous-1.2.10-13.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-anonymous-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_autohost-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_case-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_clamav-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ctrls_admin-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_facl-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_gss-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ifsession-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ldap-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_load-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab_file-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab_ldap-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab_sql-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_radius-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ratio-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_rewrite-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_shaper-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_site_misc-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_sql-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_sql_mysql-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_sql_postgres-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_time-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_tls-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_wrap-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_wrap_file-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_wrap_sql-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FTP NASL id PROFTPD_1_3_0_A.NASL description The remote host is using ProFTPD, a free FTP server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host is earlier than 1.3.0a. As such, it may be affected by one or more of the following vulnerabilities : - An off-by-one string manipulation flaw exists in the last seen 2020-06-01 modified 2020-06-02 plugin id 27055 published 2007-10-15 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27055 title ProFTPD < 1.3.0a Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(27055); script_version("1.24"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-2006-5815", "CVE-2006-6170", "CVE-2006-6171"); script_bugtraq_id(20992); script_name(english:"ProFTPD < 1.3.0a Multiple Vulnerabilities"); script_summary(english:"Checks version number in FTP banner"); script_set_attribute(attribute:"synopsis", value:"The remote FTP server is affected by several vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is using ProFTPD, a free FTP server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host is earlier than 1.3.0a. As such, it may be affected by one or more of the following vulnerabilities : - An off-by-one string manipulation flaw exists in the 'sreplace' function. (CVE-2006-5815) - A buffer overflow exists in the 'tls_x509_name_oneline' function of the mod_tls module involving the data length argument. (CVE-2006-6170) - An off-by-two buffer overflow exists due to a failure to properly set the buffer size limit when 'CommandBufferSize' is specified in the configuration file, an issue which is disputed by the developers. (CVE-2006-6171) An attacker may be able to leverage this issue to crash the affected service or execute arbitrary code remotely, subject to the privileges under which the application operates."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2006/Nov/315"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/452760/30/0/threaded"); script_set_attribute(attribute:"solution", value:"Upgrade to ProFTPD version 1.3.0a or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/15"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:proftpd:proftpd"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"FTP"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("ftpserver_detect_type_nd_version.nasl"); script_require_keys("ftp/proftpd", "Settings/ParanoidReport"); script_require_ports("Services/ftp", 21); exit(0); } include("audit.inc"); include("global_settings.inc"); include("ftp_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_ftp_port(default: 21); # Check the version number in the banner. banner = get_ftp_banner(port:port); if (banner && "ProFTPD " >< banner) { # Grab the version. ver = NULL; pat = "^[0-9]{3}[ -]ProFTPD ([0-9][^ ]+) Server"; matches = egrep(pattern:pat, string:banner); foreach match (split(matches)) { match = chomp(match); item = eregmatch(pattern:pat, string:match); if (!isnull(item)) { ver = item[1]; break; } } if (ver && ver =~ "^(0\.|1\.([0-2]\.|3\.0($|rc)))") { report = strcat('\nThe banner reports this is ProFTPD version ', ver, '.\n' ); security_hole(port:port, extra:report); } }
Packetstorm
data source https://packetstormsecurity.com/files/download/97409/proftp_sreplace.rb.txt id PACKETSTORM:97409 last seen 2016-12-05 published 2011-01-10 reporter Evgeny Legerov source https://packetstormsecurity.com/files/97409/ProFTPD-1.2-1.3.0-sreplace-Buffer-Overflow-Linux.html title ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux) data source https://packetstormsecurity.com/files/download/52614/vd_proftpd.pm.txt id PACKETSTORM:52614 last seen 2016-12-05 published 2006-12-01 reporter Evgeny Legerov source https://packetstormsecurity.com/files/52614/vd_proftpd.pm.txt.html title vd_proftpd.pm.txt
References
- http://bugs.proftpd.org/show_bug.cgi?id=2858
- http://gleg.net/vulndisco_meta.shtml
- http://secunia.com/advisories/22803
- http://secunia.com/advisories/22821
- http://secunia.com/advisories/23000
- http://secunia.com/advisories/23069
- http://secunia.com/advisories/23125
- http://secunia.com/advisories/23174
- http://secunia.com/advisories/23179
- http://secunia.com/advisories/23184
- http://secunia.com/advisories/23207
- http://securitytracker.com/id?1017167
- http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.502491
- http://www.debian.org/security/2006/dsa-1222
- http://www.gentoo.org/security/en/glsa/glsa-200611-26.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:217
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:217-1
- http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.035-proftpd.html
- http://www.securityfocus.com/archive/1/452760/100/200/threaded
- http://www.securityfocus.com/bid/20992
- http://www.trustix.org/errata/2006/0066/
- http://www.trustix.org/errata/2006/0070
- http://www.vupen.com/english/advisories/2006/4451
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30147