ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: CVE-2006-5815: remote code execution in ProFTPD



> -----Original Message-----
> From: John Morrissey [mailto:jwm@xxxxxxxxxxx] 
> Sent: Monday, November 27, 2006 7:38 PM
> To: proftpd-announce@xxxxxxxxxxx
> Cc: proftpd-users@xxxxxxxxxxx; proftpd-devel@xxxxxxxxxxx; 
> bugtraq@xxxxxxxxxxxxxxxxx
> Subject: CVE-2006-5815: remote code execution in ProFTPD
> 
> =======
> Summary
> =======
> 
> On 6 November 2006, Evgeny Legerov <admin@xxxxxxxx> posted to 
> BUGTRAQ[1],
> announcing his commercial VulnDisco Pack for Metasploit 
> 2.7[2]. One of the
> included exploits, vd_proftpd.pm, takes advantage of an 
> off-by-one string
> manipulation flaw in ProFTPD's sreplace() function to allow a remote
> attacker to execute arbitrary code.
> 
> This vulnerabillity, identified as CVE-2006-5815[3], is 
> believed to affect
> all versions of ProFTPD up to and including 1.3.0, but 
> exploitability has
> only been demonstrated with version 1.3.0rc3. The demonstrated exploit
> relies on write access via FTP for exploitability, but other 
> attack vectors
> may make exploitation of a read-only FTP server possible.
> 
> This vulnerability has been patched[4] in the latest release 
> of ProFTPD,
> 1.3.0a, which is available from the ProFTPD web site,
> http://www.proftpd.org/. Mitigation techniques have also been 
> developed for
> use until a patched version can be installed.
> 
> 
> ========
> Timeline
> ========
> 
> 10 November - security@xxxxxxxxxxx receives a message from a ProFTPD
>               user inquiring about a fix for the 
> vulnerability announced
>               in GLEG's product.
> 10 November - ProFTPD core team attempts contact with admin@xxxxxxxxx
> 15 November - Second contact attempt with admin@xxxxxxxxx
> 16 November - Contact established, vulnerability details transferred.
> 20 November - Disclosure date coordinated.
> 27 November - Coordinated disclosure.
> 
> Given the Thanksgiving holiday, the ProFTPD core team chose 
> to perform a
> coordinated disclosure the following Monday, to allow 
> affected users and
> vendors ample opportunity to perform patching operations.
> 
> Unfortunately, erroneous information on the location and 
> nature of this flaw
> has disseminated from unofficial sources. Some vendors have 
> already released
> patches that attempt to address CVE-2006-5815 based on 
> reports that a bug in
> ProFTPD's CommandBufferSize processing is its cause. To the 
> best of the core
> team's knowledge, the CommandBufferSize bug in ProFTPD is not 
> exploitable.
> 
> Vendors are welcomed and encouraged to contact security@xxxxxxxxxxx to
> exchange information on announced vulnerabilities, and we 
> endeavor to work
> to the best of our abilities with those contacting the core 
> team. Given that
> we had no information about this vulnerability until several 
> days after it
> was published and a CVE issued, we attempted to address it to 
> the best of
> our abilities. Constructive criticism is welcome on how to 
> better handle
> similar situations should they arise in the future.
> 
> 
> ==========
> Mitigation
> ==========
> 
> Some users may not be able to immediately patch their ProFTPD 
> installations.
> Until they are able to install a patched version, the 
> following steps can
> mitigate the impact of this flaw:
> 
> - Remove DisplayConnect, DisplayLogin, DisplayChdir, 
> DisplayFirstChdir,
>   DisplayFileTransfer, AccessDenyMsg, and WrapDenyMsg 
> directives from your
>   ProFTPD configuration.
> 
> - Avoid using variable substitutions/magic cookies/%-style escapes in
>   /etc/shutmsg, when specifying a warning message with the ftpshut(8)
>   command, or in RewriteRule directives.
> 
> - Add a DenyFilter directive to your configuration to limit 
> FTP command
>   arguments to only characters that you require. For example: 
> 'DenyFilter
>   [^A-Za-z0-9_.-]' limits FTP command arguments (such as filenames) to
>   alphanumeric characters, the underscore, period, and dash.
> 
> 
> [1] http://seclists.org/bugtraq/2006/Nov/0094.html
> [2] http://gleg.net/vulndisco_meta.shtml
> [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815
> [4] 
> http://proftp.cvs.sourceforge.net/proftp/proftpd/src/support.c
> ?r1=1.79&r2=1.80&sortby=date
> 



 




Copyright © Lexa Software, 1996-2009.