Vulnerabilities > CVE-2006-6171 - Unspecified vulnerability in Proftpd Project Proftpd
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN proftpd-project
nessus
Summary
ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when CommandBufferSize is specified in the configuration file, which leads to an off-by-two buffer underflow. NOTE: in November 2006, the role of CommandBufferSize was originally associated with CVE-2006-5815, but this was an error stemming from a vague initial disclosure. NOTE: ProFTPD developers dispute this issue, saying that the relevant memory location is overwritten by assignment before further use within the affected function, so this is not a vulnerability
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1222.NASL description Due to technical problems yesterday last seen 2020-06-01 modified 2020-06-02 plugin id 23757 published 2006-12-04 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23757 title Debian DSA-1222-2 : proftpd - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1222. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(23757); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2006-5815", "CVE-2006-6170", "CVE-2006-6171"); script_xref(name:"DSA", value:"1222"); script_name(english:"Debian DSA-1222-2 : proftpd - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Due to technical problems yesterday's proftpd update lacked a build for the amd64 architecture, which is now available. For reference please find below the original advisory text : Several remote vulnerabilities have been discovered in the proftpd FTP daemon, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-5815 It was discovered that a buffer overflow in the sreplace() function may lead to denial of service and possibly the execution of arbitrary code. - CVE-2006-6170 It was discovered that a buffer overflow in the mod_tls addon module may lead to the execution of arbitrary code. - CVE-2006-6171 It was discovered that insufficient validation of FTP command buffer size limits may lead to denial of service. Due to unclear information this issue was already fixed in DSA-1218 as CVE-2006-5815." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=399070" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-5815" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-6170" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-6171" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-5815" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1222" ); script_set_attribute( attribute:"solution", value: "Upgrade the proftpd package. For the stable distribution (sarge) these problems have been fixed in version 1.2.10-15sarge3." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:proftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/04"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"proftpd", reference:"1.2.10-15sarge3")) flag++; if (deb_check(release:"3.1", prefix:"proftpd-common", reference:"1.2.10-15sarge3")) flag++; if (deb_check(release:"3.1", prefix:"proftpd-doc", reference:"1.2.10-15sarge3")) flag++; if (deb_check(release:"3.1", prefix:"proftpd-ldap", reference:"1.2.10-15sarge3")) flag++; if (deb_check(release:"3.1", prefix:"proftpd-mysql", reference:"1.2.10-15sarge3")) flag++; if (deb_check(release:"3.1", prefix:"proftpd-pgsql", reference:"1.2.10-15sarge3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2006-335-02.NASL description New proftpd packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 24660 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24660 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 8.1 / 9.0 / 9.1 : proftpd (SSA:2006-335-02) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2006-335-02. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(24660); script_version("1.16"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2006-5815", "CVE-2006-6170", "CVE-2006-6171"); script_bugtraq_id(20992); script_xref(name:"SSA", value:"2006-335-02"); script_name(english:"Slackware 10.0 / 10.1 / 10.2 / 11.0 / 8.1 / 9.0 / 9.1 : proftpd (SSA:2006-335-02)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New proftpd packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix security issues." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.502491 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?238e8a90" ); script_set_attribute( attribute:"solution", value:"Update the affected proftpd package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:proftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:11.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"8.1", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i386", pkgnum:"1_slack8.1")) flag++; if (slackware_check(osver:"9.0", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i386", pkgnum:"1_slack9.0")) flag++; if (slackware_check(osver:"9.1", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i486", pkgnum:"1_slack9.1")) flag++; if (slackware_check(osver:"10.0", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i486", pkgnum:"1_slack10.0")) flag++; if (slackware_check(osver:"10.1", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i486", pkgnum:"1_slack10.1")) flag++; if (slackware_check(osver:"10.2", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i486", pkgnum:"1_slack10.2")) flag++; if (slackware_check(osver:"11.0", pkgname:"proftpd", pkgver:"1.3.0a", pkgarch:"i486", pkgnum:"1_slack11.0")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200611-26.NASL description The remote host is affected by the vulnerability described in GLSA-200611-26 (ProFTPD: Remote execution of arbitrary code) Evgeny Legerov discovered a stack-based buffer overflow in the s_replace() function in support.c, as well as a buffer overflow in in the mod_tls module. Additionally, an off-by-two error related to the CommandBufferSize configuration directive was reported. Impact : An authenticated attacker could exploit the s_replace() vulnerability by uploading a crafted .message file or sending specially crafted commands to the server, possibly resulting in the execution of arbitrary code with the rights of the user running ProFTPD. An unauthenticated attacker could send specially crafted data to the server with mod_tls enabled which could result in the execution of arbitrary code with the rights of the user running ProFTPD. Finally, the off-by-two error related to the CommandBufferSize configuration directive was fixed - exploitability of this error is disputed. Note that the default configuration on Gentoo is to run ProFTPD as an unprivileged user, and has mod_tls disabled. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 23762 published 2006-12-04 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23762 title GLSA-200611-26 : ProFTPD: Remote execution of arbitrary code code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200611-26. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(23762); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-5815", "CVE-2006-6170", "CVE-2006-6171"); script_xref(name:"GLSA", value:"200611-26"); script_name(english:"GLSA-200611-26 : ProFTPD: Remote execution of arbitrary code"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200611-26 (ProFTPD: Remote execution of arbitrary code) Evgeny Legerov discovered a stack-based buffer overflow in the s_replace() function in support.c, as well as a buffer overflow in in the mod_tls module. Additionally, an off-by-two error related to the CommandBufferSize configuration directive was reported. Impact : An authenticated attacker could exploit the s_replace() vulnerability by uploading a crafted .message file or sending specially crafted commands to the server, possibly resulting in the execution of arbitrary code with the rights of the user running ProFTPD. An unauthenticated attacker could send specially crafted data to the server with mod_tls enabled which could result in the execution of arbitrary code with the rights of the user running ProFTPD. Finally, the off-by-two error related to the CommandBufferSize configuration directive was fixed - exploitability of this error is disputed. Note that the default configuration on Gentoo is to run ProFTPD as an unprivileged user, and has mod_tls disabled. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200611-26" ); script_set_attribute( attribute:"solution", value: "All ProFTPD users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-ftp/proftpd-1.3.0a'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:proftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/04"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-ftp/proftpd", unaffected:make_list("ge 1.3.0a"), vulnerable:make_list("lt 1.3.0a"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ProFTPD"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-217.NASL description A stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier, allows remote attackers to cause a denial of service, as demonstrated by vd_proftpd.pm, a last seen 2020-06-01 modified 2020-06-02 plugin id 24602 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24602 title Mandrake Linux Security Advisory : proftpd (MDKSA-2006:217-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2006:217. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(24602); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2006-5815", "CVE-2006-6170", "CVE-2006-6171"); script_bugtraq_id(20992); script_xref(name:"MDKSA", value:"2006:217-1"); script_name(english:"Mandrake Linux Security Advisory : proftpd (MDKSA-2006:217-1)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier, allows remote attackers to cause a denial of service, as demonstrated by vd_proftpd.pm, a 'ProFTPD remote exploit.' (CVE-2006-5815) Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1.3.0a and earlier, and possibly other products, allows remote attackers to execute arbitrary code via a large data length argument, a different vulnerability than CVE-2006-5815. (CVE-2006-6170) ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when CommandBufferSize is specified in the configuration file, which leads to an off-by-two buffer underflow. NOTE: in November 2006, the role of CommandBufferSize was originally associated with CVE-2006-5815, but this was an error stemming from an initial vague disclosure. NOTE: ProFTPD developers dispute this issue, saying that the relevant memory location is overwritten by assignment before further use within the affected function, so this is not a vulnerability. (CVE-2006-6171) Packages have been patched to correct these issues. Update : The previous update incorrectly linked the vd_proftd.pm issue with the CommandBufferSize issue. These are two distinct issues and the previous update only addressed CommandBufferSize (CVE-2006-6171), and the mod_tls issue (CVE-2006-6170)." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-anonymous"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_autohost"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_case"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_clamav"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ctrls_admin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_facl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_gss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ifsession"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_load"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_file"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_sql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_radius"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ratio"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_rewrite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_shaper"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_site_misc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql_mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql_postgres"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_time"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_tls"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_wrap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_wrap_file"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_wrap_sql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2006.0", reference:"proftpd-1.2.10-13.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"proftpd-anonymous-1.2.10-13.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-anonymous-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_autohost-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_case-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_clamav-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ctrls_admin-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_facl-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_gss-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ifsession-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ldap-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_load-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab_file-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab_ldap-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab_sql-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_radius-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ratio-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_rewrite-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_shaper-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_site_misc-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_sql-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_sql_mysql-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_sql_postgres-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_time-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_tls-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_wrap-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_wrap_file-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_wrap_sql-1.3.0-4.3mdv2007.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1218.NASL description It was discovered that the proftpd FTP daemon performs insufficient validation of FTP command buffer size limits, which may lead to denial of service. last seen 2020-06-01 modified 2020-06-02 plugin id 23704 published 2006-11-22 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23704 title Debian DSA-1218-1 : proftpd - programming error code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1218. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(23704); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2006-6171"); script_xref(name:"DSA", value:"1218"); script_name(english:"Debian DSA-1218-1 : proftpd - programming error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that the proftpd FTP daemon performs insufficient validation of FTP command buffer size limits, which may lead to denial of service." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=399070" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1218" ); script_set_attribute( attribute:"solution", value: "Upgrade the proftpd package. For the stable distribution (sarge) this problem has been fixed in version 1.2.10-15sarge2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:proftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/22"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"proftpd", reference:"1.2.10-15sarge2")) flag++; if (deb_check(release:"3.1", prefix:"proftpd-common", reference:"1.2.10-15sarge2")) flag++; if (deb_check(release:"3.1", prefix:"proftpd-doc", reference:"1.2.10-15sarge2")) flag++; if (deb_check(release:"3.1", prefix:"proftpd-ldap", reference:"1.2.10-15sarge2")) flag++; if (deb_check(release:"3.1", prefix:"proftpd-mysql", reference:"1.2.10-15sarge2")) flag++; if (deb_check(release:"3.1", prefix:"proftpd-pgsql", reference:"1.2.10-15sarge2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FTP NASL id PROFTPD_1_3_0_A.NASL description The remote host is using ProFTPD, a free FTP server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host is earlier than 1.3.0a. As such, it may be affected by one or more of the following vulnerabilities : - An off-by-one string manipulation flaw exists in the last seen 2020-06-01 modified 2020-06-02 plugin id 27055 published 2007-10-15 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27055 title ProFTPD < 1.3.0a Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(27055); script_version("1.24"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-2006-5815", "CVE-2006-6170", "CVE-2006-6171"); script_bugtraq_id(20992); script_name(english:"ProFTPD < 1.3.0a Multiple Vulnerabilities"); script_summary(english:"Checks version number in FTP banner"); script_set_attribute(attribute:"synopsis", value:"The remote FTP server is affected by several vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is using ProFTPD, a free FTP server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host is earlier than 1.3.0a. As such, it may be affected by one or more of the following vulnerabilities : - An off-by-one string manipulation flaw exists in the 'sreplace' function. (CVE-2006-5815) - A buffer overflow exists in the 'tls_x509_name_oneline' function of the mod_tls module involving the data length argument. (CVE-2006-6170) - An off-by-two buffer overflow exists due to a failure to properly set the buffer size limit when 'CommandBufferSize' is specified in the configuration file, an issue which is disputed by the developers. (CVE-2006-6171) An attacker may be able to leverage this issue to crash the affected service or execute arbitrary code remotely, subject to the privileges under which the application operates."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2006/Nov/315"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/452760/30/0/threaded"); script_set_attribute(attribute:"solution", value:"Upgrade to ProFTPD version 1.3.0a or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/15"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:proftpd:proftpd"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"FTP"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("ftpserver_detect_type_nd_version.nasl"); script_require_keys("ftp/proftpd", "Settings/ParanoidReport"); script_require_ports("Services/ftp", 21); exit(0); } include("audit.inc"); include("global_settings.inc"); include("ftp_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_ftp_port(default: 21); # Check the version number in the banner. banner = get_ftp_banner(port:port); if (banner && "ProFTPD " >< banner) { # Grab the version. ver = NULL; pat = "^[0-9]{3}[ -]ProFTPD ([0-9][^ ]+) Server"; matches = egrep(pattern:pat, string:banner); foreach match (split(matches)) { match = chomp(match); item = eregmatch(pattern:pat, string:match); if (!isnull(item)) { ver = item[1]; break; } } if (ver && ver =~ "^(0\.|1\.([0-2]\.|3\.0($|rc)))") { report = strcat('\nThe banner reports this is ProFTPD version ', ver, '.\n' ); security_hole(port:port, extra:report); } }
References
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820
- http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.293&sortby=date
- http://www.debian.org/security/2006/dsa-1218
- http://www.debian.org/security/2006/dsa-1222
- http://www.gentoo.org/security/en/glsa/glsa-200611-26.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:217-1
- http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.502491
- http://secunia.com/advisories/23174
- http://secunia.com/advisories/23179
- http://secunia.com/advisories/23184
- http://secunia.com/advisories/23207
- http://www.trustix.org/errata/2006/0070
- http://secunia.com/advisories/23329
- http://www.openpkg.com/security/advisories/OpenPKG-SA-2006.035.html