Vulnerabilities > CVE-2006-6170 - Remote Buffer Overflow vulnerability in ProFTPD MOD_TLS

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
proftpd-project
nessus

Summary

Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1.3.0a and earlier, and possibly other products, allows remote attackers to execute arbitrary code via a large data length argument, a different vulnerability than CVE-2006-5815.

Vulnerable Configurations

Part Description Count
Application
Proftpd_Project
1

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1222.NASL
    descriptionDue to technical problems yesterday
    last seen2020-06-01
    modified2020-06-02
    plugin id23757
    published2006-12-04
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23757
    titleDebian DSA-1222-2 : proftpd - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1222. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(23757);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:20");
    
      script_cve_id("CVE-2006-5815", "CVE-2006-6170", "CVE-2006-6171");
      script_xref(name:"DSA", value:"1222");
    
      script_name(english:"Debian DSA-1222-2 : proftpd - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Due to technical problems yesterday's proftpd update lacked a build
    for the amd64 architecture, which is now available. For reference
    please find below the original advisory text :
    
      Several remote vulnerabilities have been discovered in the proftpd
      FTP daemon, which may lead to the execution of arbitrary code or
      denial of service. The Common Vulnerabilities and Exposures project
      identifies the following problems :
    
        - CVE-2006-5815
          It was discovered that a buffer overflow in the
          sreplace() function may lead to denial of service and
          possibly the execution of arbitrary code.
    
        - CVE-2006-6170
          It was discovered that a buffer overflow in the
          mod_tls addon module may lead to the execution of
          arbitrary code.
    
        - CVE-2006-6171
          It was discovered that insufficient validation of FTP
          command buffer size limits may lead to denial of
          service. Due to unclear information this issue was
          already fixed in DSA-1218 as CVE-2006-5815."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=399070"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-5815"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-6170"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-6171"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-5815"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1222"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the proftpd package.
    
    For the stable distribution (sarge) these problems have been fixed in
    version 1.2.10-15sarge3."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:proftpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/04");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"proftpd", reference:"1.2.10-15sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"proftpd-common", reference:"1.2.10-15sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"proftpd-doc", reference:"1.2.10-15sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"proftpd-ldap", reference:"1.2.10-15sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"proftpd-mysql", reference:"1.2.10-15sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"proftpd-pgsql", reference:"1.2.10-15sarge3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2006-335-02.NASL
    descriptionNew proftpd packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24660
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24660
    titleSlackware 10.0 / 10.1 / 10.2 / 11.0 / 8.1 / 9.0 / 9.1 : proftpd (SSA:2006-335-02)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2006-335-02. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24660);
      script_version("1.16");
      script_cvs_date("Date: 2019/10/25 13:36:20");
    
      script_cve_id("CVE-2006-5815", "CVE-2006-6170", "CVE-2006-6171");
      script_bugtraq_id(20992);
      script_xref(name:"SSA", value:"2006-335-02");
    
      script_name(english:"Slackware 10.0 / 10.1 / 10.2 / 11.0 / 8.1 / 9.0 / 9.1 : proftpd (SSA:2006-335-02)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New proftpd packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
    10.1, 10.2, and 11.0 to fix security issues."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.502491
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?238e8a90"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected proftpd package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:proftpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:11.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/12/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"8.1", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i386", pkgnum:"1_slack8.1")) flag++;
    
    if (slackware_check(osver:"9.0", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i386", pkgnum:"1_slack9.0")) flag++;
    
    if (slackware_check(osver:"9.1", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i486", pkgnum:"1_slack9.1")) flag++;
    
    if (slackware_check(osver:"10.0", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i486", pkgnum:"1_slack10.0")) flag++;
    
    if (slackware_check(osver:"10.1", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i486", pkgnum:"1_slack10.1")) flag++;
    
    if (slackware_check(osver:"10.2", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i486", pkgnum:"1_slack10.2")) flag++;
    
    if (slackware_check(osver:"11.0", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i486", pkgnum:"1_slack11.0")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200611-26.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200611-26 (ProFTPD: Remote execution of arbitrary code) Evgeny Legerov discovered a stack-based buffer overflow in the s_replace() function in support.c, as well as a buffer overflow in in the mod_tls module. Additionally, an off-by-two error related to the CommandBufferSize configuration directive was reported. Impact : An authenticated attacker could exploit the s_replace() vulnerability by uploading a crafted .message file or sending specially crafted commands to the server, possibly resulting in the execution of arbitrary code with the rights of the user running ProFTPD. An unauthenticated attacker could send specially crafted data to the server with mod_tls enabled which could result in the execution of arbitrary code with the rights of the user running ProFTPD. Finally, the off-by-two error related to the CommandBufferSize configuration directive was fixed - exploitability of this error is disputed. Note that the default configuration on Gentoo is to run ProFTPD as an unprivileged user, and has mod_tls disabled. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id23762
    published2006-12-04
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23762
    titleGLSA-200611-26 : ProFTPD: Remote execution of arbitrary code
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200611-26.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(23762);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:43");
    
      script_cve_id("CVE-2006-5815", "CVE-2006-6170", "CVE-2006-6171");
      script_xref(name:"GLSA", value:"200611-26");
    
      script_name(english:"GLSA-200611-26 : ProFTPD: Remote execution of arbitrary code");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200611-26
    (ProFTPD: Remote execution of arbitrary code)
    
        Evgeny Legerov discovered a stack-based buffer overflow in the
        s_replace() function in support.c, as well as a buffer overflow in in
        the mod_tls module. Additionally, an off-by-two error related to the
        CommandBufferSize configuration directive was reported.
      
    Impact :
    
        An authenticated attacker could exploit the s_replace() vulnerability
        by uploading a crafted .message file or sending specially crafted
        commands to the server, possibly resulting in the execution of
        arbitrary code with the rights of the user running ProFTPD. An
        unauthenticated attacker could send specially crafted data to the
        server with mod_tls enabled which could result in the execution of
        arbitrary code with the rights of the user running ProFTPD. Finally,
        the off-by-two error related to the CommandBufferSize configuration
        directive was fixed - exploitability of this error is disputed. Note
        that the default configuration on Gentoo is to run ProFTPD as an
        unprivileged user, and has mod_tls disabled.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200611-26"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All ProFTPD users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=net-ftp/proftpd-1.3.0a'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:proftpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/04");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-ftp/proftpd", unaffected:make_list("ge 1.3.0a"), vulnerable:make_list("lt 1.3.0a"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ProFTPD");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_3F851B2289FB11DBA937003048116330.NASL
    descriptionThe proftpd development team reports that several remote buffer overflows had been found in the proftpd server.
    last seen2020-06-01
    modified2020-06-02
    plugin id23952
    published2006-12-30
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/23952
    titleFreeBSD : proftpd -- remote code execution vulnerabilities (3f851b22-89fb-11db-a937-003048116330)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(23952);
      script_version("1.13");
      script_cvs_date("Date: 2019/08/02 13:32:38");
    
      script_cve_id("CVE-2006-5815", "CVE-2006-6170");
    
      script_name(english:"FreeBSD : proftpd -- remote code execution vulnerabilities (3f851b22-89fb-11db-a937-003048116330)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The proftpd development team reports that several remote buffer
    overflows had been found in the proftpd server."
      );
      # https://vuxml.freebsd.org/freebsd/3f851b22-89fb-11db-a937-003048116330.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5c484979"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:proftpd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:proftpd-mysql");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/12/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"proftpd<1.3.0_5")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"proftpd-mysql<1.3.0_5")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-217.NASL
    descriptionA stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier, allows remote attackers to cause a denial of service, as demonstrated by vd_proftpd.pm, a
    last seen2020-06-01
    modified2020-06-02
    plugin id24602
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24602
    titleMandrake Linux Security Advisory : proftpd (MDKSA-2006:217-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2006:217. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24602);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:48");
    
      script_cve_id("CVE-2006-5815", "CVE-2006-6170", "CVE-2006-6171");
      script_bugtraq_id(20992);
      script_xref(name:"MDKSA", value:"2006:217-1");
    
      script_name(english:"Mandrake Linux Security Advisory : proftpd (MDKSA-2006:217-1)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A stack-based buffer overflow in the sreplace function in ProFTPD
    1.3.0 and earlier, allows remote attackers to cause a denial of
    service, as demonstrated by vd_proftpd.pm, a 'ProFTPD remote exploit.'
    (CVE-2006-5815)
    
    Buffer overflow in the tls_x509_name_oneline function in the mod_tls
    module, as used in ProFTPD 1.3.0a and earlier, and possibly other
    products, allows remote attackers to execute arbitrary code via a
    large data length argument, a different vulnerability than
    CVE-2006-5815. (CVE-2006-6170)
    
    ProFTPD 1.3.0a and earlier does not properly set the buffer size limit
    when CommandBufferSize is specified in the configuration file, which
    leads to an off-by-two buffer underflow. NOTE: in November 2006, the
    role of CommandBufferSize was originally associated with
    CVE-2006-5815, but this was an error stemming from an initial vague
    disclosure. NOTE: ProFTPD developers dispute this issue, saying that
    the relevant memory location is overwritten by assignment before
    further use within the affected function, so this is not a
    vulnerability. (CVE-2006-6171)
    
    Packages have been patched to correct these issues.
    
    Update :
    
    The previous update incorrectly linked the vd_proftd.pm issue with the
    CommandBufferSize issue. These are two distinct issues and the
    previous update only addressed CommandBufferSize (CVE-2006-6171), and
    the mod_tls issue (CVE-2006-6170)."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-anonymous");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_autohost");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_case");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_clamav");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ctrls_admin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_facl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_gss");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ifsession");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_load");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_file");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_sql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_radius");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ratio");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_rewrite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_shaper");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_site_misc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql_mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql_postgres");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_time");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_tls");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_wrap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_wrap_file");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_wrap_sql");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2006.0", reference:"proftpd-1.2.10-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"proftpd-anonymous-1.2.10-13.3.20060mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-anonymous-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_autohost-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_case-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_clamav-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ctrls_admin-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_facl-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_gss-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ifsession-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ldap-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_load-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab_file-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab_ldap-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab_sql-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_radius-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ratio-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_rewrite-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_shaper-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_site_misc-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_sql-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_sql_mysql-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_sql_postgres-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_time-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_tls-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_wrap-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_wrap_file-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_wrap_sql-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFTP
    NASL idPROFTPD_1_3_0_A.NASL
    descriptionThe remote host is using ProFTPD, a free FTP server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host is earlier than 1.3.0a. As such, it may be affected by one or more of the following vulnerabilities : - An off-by-one string manipulation flaw exists in the
    last seen2020-06-01
    modified2020-06-02
    plugin id27055
    published2007-10-15
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27055
    titleProFTPD < 1.3.0a Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(27055);
      script_version("1.24");
      script_cvs_date("Date: 2018/11/15 20:50:22");
    
      script_cve_id("CVE-2006-5815", "CVE-2006-6170", "CVE-2006-6171");
      script_bugtraq_id(20992);
    
      script_name(english:"ProFTPD < 1.3.0a Multiple Vulnerabilities");
      script_summary(english:"Checks version number in FTP banner");
    
      script_set_attribute(attribute:"synopsis", value:"The remote FTP server is affected by several vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote host is using ProFTPD, a free FTP server for Unix and
    Linux.
    
    According to its banner, the version of ProFTPD installed on the
    remote host is earlier than 1.3.0a. As such, it may be affected by one
    or more of the following vulnerabilities :
    
      - An off-by-one string manipulation flaw exists in the
        'sreplace' function.  (CVE-2006-5815)
    
      - A buffer overflow exists in the 'tls_x509_name_oneline'
        function of the mod_tls module involving the data
        length argument. (CVE-2006-6170)
    
      - An off-by-two buffer overflow exists due to a failure
        to properly set the buffer size limit when
        'CommandBufferSize' is specified in the configuration
        file, an issue which is disputed by the developers.
        (CVE-2006-6171)
    
    An attacker may be able to leverage this issue to crash the affected
    service or execute arbitrary code remotely, subject to the privileges
    under which the application operates.");
      script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2006/Nov/315");
      script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/452760/30/0/threaded");
      script_set_attribute(attribute:"solution", value:"Upgrade to ProFTPD version 1.3.0a or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/15");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:proftpd:proftpd");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"FTP");
    
      script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ftpserver_detect_type_nd_version.nasl");
      script_require_keys("ftp/proftpd", "Settings/ParanoidReport");
      script_require_ports("Services/ftp", 21);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("ftp_func.inc");
    
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    
    port = get_ftp_port(default: 21);
    
    # Check the version number in the banner.
    banner = get_ftp_banner(port:port);
    if (banner && "ProFTPD " >< banner)
    {
      # Grab the version.
      ver = NULL;
    
      pat = "^[0-9]{3}[ -]ProFTPD ([0-9][^ ]+) Server";
      matches = egrep(pattern:pat, string:banner);
      foreach match (split(matches))
      {
        match = chomp(match);
        item = eregmatch(pattern:pat, string:match);
        if (!isnull(item))
        {
          ver = item[1];
          break;
        }
      }
    
      if (ver && ver =~ "^(0\.|1\.([0-2]\.|3\.0($|rc)))")
      {
        report = strcat('\nThe banner reports this is ProFTPD version ', ver, '.\n' );
        security_hole(port:port, extra:report);
      }
    }