Thread-topic: CVE-2006-5815: remote code execution in ProFTPD
> -----Original Message-----
> From: John Morrissey [mailto:jwm@xxxxxxxxxxx]
> Sent: Monday, November 27, 2006 7:38 PM
> To: proftpd-announce@xxxxxxxxxxx
> Cc: proftpd-users@xxxxxxxxxxx; proftpd-devel@xxxxxxxxxxx;
> bugtraq@xxxxxxxxxxxxxxxxx
> Subject: CVE-2006-5815: remote code execution in ProFTPD
>
> =======
> Summary
> =======
>
> On 6 November 2006, Evgeny Legerov <admin@xxxxxxxx> posted to
> BUGTRAQ[1],
> announcing his commercial VulnDisco Pack for Metasploit
> 2.7[2]. One of the
> included exploits, vd_proftpd.pm, takes advantage of an
> off-by-one string
> manipulation flaw in ProFTPD's sreplace() function to allow a remote
> attacker to execute arbitrary code.
>
> This vulnerabillity, identified as CVE-2006-5815[3], is
> believed to affect
> all versions of ProFTPD up to and including 1.3.0, but
> exploitability has
> only been demonstrated with version 1.3.0rc3. The demonstrated exploit
> relies on write access via FTP for exploitability, but other
> attack vectors
> may make exploitation of a read-only FTP server possible.
>
> This vulnerability has been patched[4] in the latest release
> of ProFTPD,
> 1.3.0a, which is available from the ProFTPD web site,
> . Mitigation techniques have also been
> developed for
> use until a patched version can be installed.
>
>
> ========
> Timeline
> ========
>
> 10 November - security@xxxxxxxxxxx receives a message from a ProFTPD
> user inquiring about a fix for the
> vulnerability announced
> in GLEG's product.
> 10 November - ProFTPD core team attempts contact with admin@xxxxxxxxx
> 15 November - Second contact attempt with admin@xxxxxxxxx
> 16 November - Contact established, vulnerability details transferred.
> 20 November - Disclosure date coordinated.
> 27 November - Coordinated disclosure.
>
> Given the Thanksgiving holiday, the ProFTPD core team chose
> to perform a
> coordinated disclosure the following Monday, to allow
> affected users and
> vendors ample opportunity to perform patching operations.
>
> Unfortunately, erroneous information on the location and
> nature of this flaw
> has disseminated from unofficial sources. Some vendors have
> already released
> patches that attempt to address CVE-2006-5815 based on
> reports that a bug in
> ProFTPD's CommandBufferSize processing is its cause. To the
> best of the core
> team's knowledge, the CommandBufferSize bug in ProFTPD is not
> exploitable.
>
> Vendors are welcomed and encouraged to contact security@xxxxxxxxxxx to
> exchange information on announced vulnerabilities, and we
> endeavor to work
> to the best of our abilities with those contacting the core
> team. Given that
> we had no information about this vulnerability until several
> days after it
> was published and a CVE issued, we attempted to address it to
> the best of
> our abilities. Constructive criticism is welcome on how to
> better handle
> similar situations should they arise in the future.
>
>
> ==========
> Mitigation
> ==========
>
> Some users may not be able to immediately patch their ProFTPD
> installations.
> Until they are able to install a patched version, the
> following steps can
> mitigate the impact of this flaw:
>
> - Remove DisplayConnect, DisplayLogin, DisplayChdir,
> DisplayFirstChdir,
> DisplayFileTransfer, AccessDenyMsg, and WrapDenyMsg
> directives from your
> ProFTPD configuration.
>
> - Avoid using variable substitutions/magic cookies/%-style escapes in
> /etc/shutmsg, when specifying a warning message with the ftpshut(8)
> command, or in RewriteRule directives.
>
> - Add a DenyFilter directive to your configuration to limit
> FTP command
> arguments to only characters that you require. For example:
> 'DenyFilter
> [^A-Za-z0-9_.-]' limits FTP command arguments (such as filenames) to
> alphanumeric characters, the underscore, period, and dash.
>
>
> [1]
> [2]
> [3]
> [4]
>
> ?r1=1.79&r2=1.80&sortby=date
>
