Vulnerabilities > CVE-2006-6563 - Local Buffer Overflow vulnerability in Proftpd Project Proftpd 1.3.0/1.3.0A
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
SINGLE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute arbitrary code via a large reqarglen length value. This vulnerability is addressed in the following product update: ProFTPD Project, ProFTPD, 1.3.1rc1
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Exploit-Db
description ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit. CVE-2006-6563. Local exploit for linux platform file exploits/linux/local/3330.pl id EDB-ID:3330 last seen 2016-01-31 modified 2007-02-18 platform linux port published 2007-02-18 reporter Revenge source https://www.exploit-db.com/download/3330/ title ProFTPD 1.3.0/1.3.0a - mod_ctrls support Local Buffer Overflow Exploit 1 type local description ProFTPd Local pr_ctrls_connect Vuln - ftpdctl. CVE-2006-6563. Local exploit for linux platform id EDB-ID:394 last seen 2016-01-31 modified 2004-08-13 published 2004-08-13 reporter pi3 source https://www.exploit-db.com/download/394/ title ProFTPd - Local pr_ctrls_connect Vulnerability ftpdctl description ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit 2. CVE-2006-6563. Local exploit for linux platform id EDB-ID:3333 last seen 2016-01-31 modified 2007-02-19 published 2007-02-19 reporter Revenge source https://www.exploit-db.com/download/3333/ title ProFTPD 1.3.0/1.3.0a - mod_ctrls support Local Buffer Overflow Exploit 2
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-232.NASL description Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute arbitrary code via a large reqarglen length value. Packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 24615 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24615 title Mandrake Linux Security Advisory : proftpd (MDKSA-2006:232) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2006:232. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(24615); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2006-6563"); script_xref(name:"MDKSA", value:"2006:232"); script_name(english:"Mandrake Linux Security Advisory : proftpd (MDKSA-2006:232)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute arbitrary code via a large reqarglen length value. Packages have been patched to correct these issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:S/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-anonymous"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_autohost"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_case"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_clamav"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ctrls_admin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_facl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_gss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ifsession"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_load"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_file"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_sql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_radius"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ratio"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_rewrite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_shaper"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_site_misc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql_mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql_postgres"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_time"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_tls"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_wrap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_wrap_file"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_wrap_sql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2007.0", reference:"proftpd-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-anonymous-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_autohost-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_case-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_clamav-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ctrls_admin-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_facl-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_gss-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ifsession-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ldap-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_load-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab_file-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab_ldap-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_quotatab_sql-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_radius-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_ratio-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_rewrite-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_shaper-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_site_misc-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_sql-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_sql_mysql-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_sql_postgres-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_time-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_tls-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_wrap-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_wrap_file-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"proftpd-mod_wrap_sql-1.3.0-4.4mdv2007.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200702-02.NASL description The remote host is affected by the vulnerability described in GLSA-200702-02 (ProFTPD: Local privilege escalation) A flaw exists in the mod_ctrls module of ProFTPD, normally used to allow FTP server administrators to configure the daemon at runtime. Impact : An FTP server administrator permitted to interact with mod_ctrls could potentially compromise the ProFTPD process and execute arbitrary code with the privileges of the FTP Daemon, which is normally the root user. Workaround : Disable mod_ctrls, or ensure only trusted users can access this feature. last seen 2020-06-01 modified 2020-06-02 plugin id 24351 published 2007-02-15 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24351 title GLSA-200702-02 : ProFTPD: Local privilege escalation code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200702-02. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(24351); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-6563"); script_xref(name:"GLSA", value:"200702-02"); script_name(english:"GLSA-200702-02 : ProFTPD: Local privilege escalation"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200702-02 (ProFTPD: Local privilege escalation) A flaw exists in the mod_ctrls module of ProFTPD, normally used to allow FTP server administrators to configure the daemon at runtime. Impact : An FTP server administrator permitted to interact with mod_ctrls could potentially compromise the ProFTPD process and execute arbitrary code with the privileges of the FTP Daemon, which is normally the root user. Workaround : Disable mod_ctrls, or ensure only trusted users can access this feature." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200702-02" ); script_set_attribute( attribute:"solution", value: "All ProFTPD users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-ftp/proftpd-1.3.1_rc1'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:S/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:proftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/02/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/15"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-ftp/proftpd", unaffected:make_list("ge 1.3.1_rc1"), vulnerable:make_list("lt 1.3.1_rc1"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ProFTPD"); }NASL family FTP NASL id PROFTPD_1_3_1_RC1.NASL description The remote host is using ProFTPD, a free FTP server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host is earlier than 1.3.1rc1 and is affected by a local, stack-based buffer overflow. The function last seen 2020-06-01 modified 2020-06-02 plugin id 17718 published 2011-11-18 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17718 title ProFTPD < 1.3.1rc1 mod_ctrls Module pr_ctrls_recv_request Function Local Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(17718); script_version("1.7"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-2006-6563"); script_bugtraq_id(21587); script_xref(name:"EDB-ID", value:"394"); script_xref(name:"EDB-ID", value:"3330"); script_xref(name:"EDB-ID", value:"3333"); script_name(english:"ProFTPD < 1.3.1rc1 mod_ctrls Module pr_ctrls_recv_request Function Local Overflow"); script_summary(english:"Checks version of ProFTPD."); script_set_attribute(attribute:"synopsis", value: "The remote FTP server is affected by a local buffer overflow vulnerability."); script_set_attribute(attribute:"description", value: "The remote host is using ProFTPD, a free FTP server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host is earlier than 1.3.1rc1 and is affected by a local, stack-based buffer overflow. The function 'pr_ctrls_recv_request' in the file 'src/ctrls.c' belonging to the 'mod_ctrls' module does not properly handle large values in the 'reqarglen' parameter. This error can allow a local attacker to execute arbitrary code."); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/454320/100/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://sourceforge.net/p/proftp/mailman/message/168826/"); script_set_attribute(attribute:"solution", value:"Upgrade to ProFTPD version 1.3.1rc1 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/12"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/18"); script_set_attribute(attribute:"cpe", value:"cpe:/a:proftpd:proftpd"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"FTP"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("ftp_overflow.nasl", "ftpserver_detect_type_nd_version.nasl"); script_require_keys("ftp/proftpd", "Settings/ParanoidReport"); script_require_ports("Services/ftp", 21); exit(0); } include("audit.inc"); include("ftp_func.inc"); include("global_settings.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_ftp_port(default: 21); banner = get_ftp_banner(port:port); if (!banner) exit(1, "Unable to obtain the banner from the FTP server listening on port "+port+"."); if ("ProFTPD" >!< banner) exit(1, "The FTP server listening on port "+port+" does not appear to be ProFTPD."); matches = eregmatch(string:banner, pattern:"ProFTPD ([0-9a-z.]+) "); if (isnull(matches)) exit(1, "Failed to extract the version of ProFTPD listening on port "+port+"."); version = matches[1]; if (version =~ '^1(\\.3)?$') exit(1, "The banner from ProFTPD listening on port "+port+" - "+banner+" - is not granular enough."); if ( version =~ "^0($|\.)" || version =~ "^1\.[0-2]($|\.)" || version =~ "^1\.3\.0($|\.|[^0-9])" ) { if (report_verbosity > 0) { report = '\n Version source : ' + chomp(banner) + '\n Installed version : ' + version + '\n Fixed version : 1.3.1rc1\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else exit(0, "The ProFTPD "+version+" server listening on port "+port+" is not affected.");
References
- http://secunia.com/advisories/23371
- http://secunia.com/advisories/23392
- http://secunia.com/advisories/23473
- http://secunia.com/advisories/24163
- http://security.gentoo.org/glsa/glsa-200702-02.xml
- http://www.coresecurity.com/?module=ContentMod&action=item&id=1594
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:232
- http://www.openpkg.com/security/advisories/OpenPKG-SA-2006.039.html
- http://www.proftpd.org/docs/NEWS-1.3.1rc1
- http://www.securityfocus.com/archive/1/454320/100/0/threaded
- http://www.securityfocus.com/archive/1/460648/100/0/threaded
- http://www.securityfocus.com/archive/1/460756/100/0/threaded
- http://www.securityfocus.com/bid/21587
- http://www.trustix.org/errata/2006/0074/
- http://www.vupen.com/english/advisories/2006/4998
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30906
- https://www.exploit-db.com/exploits/3330