正文

ProFTPD SReplace远程单字节溢出漏洞

admin
admin V管理员 /0 评论 /7 阅读
0103
此篇文章发布距今已超过1235天,您需要注意文章的内容或图片是否可用!

漏洞信息详情

ProFTPD SReplace远程单字节溢出漏洞

  • CNNVD编号:CNNVD-200611-144
    • <!--
  • 危害等级: 超危-->
  • 危害等级: 超危
  • CVE编号: CVE-2006-5815
  • 漏洞类型: 缓冲区溢出
  • 发布时间: 2006-11-08
  • 威胁类型: 远程
  • 更新时间: 2007-08-21
  • 厂        商: proftpd_project
  • 漏洞来源: Evgeny Legerov ala...

漏洞简介

ProFTPD是一款开放源代码FTP服务程序。

ProFTPD的src/support.c文件中的sreplace()函数在处理特制请求时存在单字节溢出漏洞。漏洞分析代码如下:

\"\"\"

char *sreplace(pool *p, char *s, ...) {

va_list args;

char *m,*r,*src = s,*cp;

char **mptr,**rptr;

char *marr[33],*rarr[33];

char buf[PR_TUNABLE_PATH_MAX] = {\'\'\0\'\'}, *pbuf = NULL;

size_t mlen = 0, rlen = 0, blen;

int dyn = TRUE;

cp = buf;

*cp = \'\'\0\'\';

memset(marr, \'\'\0\'\', sizeof(marr));

memset(rarr, \'\'\0\'\', sizeof(rarr));

blen = strlen(src) + 1;

va_start(args, s);

while ((m = va_arg(args, char *)) != NULL & & mlen < sizeof(marr)-1) {

char *tmp = NULL;

size_t count = 0;

if ((r = va_arg(args, char *)) == NULL)

break;

/* Increase the length of the needed buffer by the difference between

* the given match and replacement strings, multiplied by the number

* of times the match string occurs in the source string.

*/

tmp = strstr(s, m);

while (tmp) {

pr_signals_handle();

count++;

/* Be sure to increment the pointer returned by strstr(3), to

* advance past the beginning of the substring for which we are

* looking. Otherwise, we just loop endlessly, seeing the same

* value for tmp over and over.

*/

tmp += strlen(m);

tmp = strstr(tmp, m);

}

/* We are only concerned about match/replacement strings that actually

* occur in the given string.

*/

if (count) {

blen += count * (strlen(r) - strlen(m));

marr[mlen] = m;

rarr[mlen++] = r;

}

}

va_end(args);

/* Try to handle large buffer situations (i.e. escaping of

* PR_TUNABLE_PATH_MAX

* (>2048) correctly, but do not allow very big buffer sizes, that may

* be dangerous (BUFSIZ may be defined in stdio.h) in some library

* functions.

*/

#ifndef BUFSIZ

# define BUFSIZ 8192

#endif

if (blen < BUFSIZ)

[1] cp = pbuf = (char *) pcalloc(p, ++blen); if (!pbuf) {

[2] cp = pbuf = buf;

dyn = FALSE;

blen = sizeof(buf);

}

while (*src) {

for (mptr = marr, rptr = rarr; *mptr; mptr++, rptr++) {

mlen = strlen(*mptr);

rlen = strlen(*rptr);

if (strncmp(src, *mptr, mlen) == 0) {

[3] sstrncpy(cp, *rptr, blen - strlen(pbuf));

if (((cp + rlen) - pbuf + 1) > blen) {

pr_log_pri(PR_LOG_ERR,

\"WARNING: attempt to overflow internal ProFTPD buffers\");

cp = pbuf + blen - 1;

goto done;

} else {

cp += rlen;

}

src += mlen;

break;

}

}

if (!*mptr) {

[4] if ((cp - pbuf + 1) > blen) {

pr_log_pri(PR_LOG_ERR,

\"WARNING: attempt to overflow internal ProFTPD buffers\");

cp = pbuf + blen - 1;

}

*cp++ = *src++;

}

}

done:

*cp = \'\'\0\'\';

if (dyn)

return pbuf;

return pstrdup(p, buf);

}

\"\"\"

blen的值是可控的,如果将其设置为小于BUFSIZ的值的话(见[1])就可以触发堆溢出,否则可以触发栈溢出(见[2])。

由于在[4]行的错误计算,攻击者可以控制pbuf最后的空字节,这样strlen(pbuf)就会大于blen。由于第三个参数为负数时sstrncpy函数仍可运行,因此[3]行的代码会使用攻击者的数据覆盖pbuf缓冲区。

目前已知至少有两种攻击方式:

1. MKD命令

2. pr_display_file

漏洞公告

目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:

http://www.debian.org/security/2005/dsa-1218

参考网址

来源:bugzilla.redhat.com

链接:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820

来源: XF

名称: proftpd-code-execution(30147)

链接:http://xforce.iss.net/xforce/xfdb/30147

来源: TRUSTIX

名称: 2006-0070

链接:http://www.trustix.org/errata/2006/0070

来源: TRUSTIX

名称: 2006-0066

链接:http://www.trustix.org/errata/2006/0066/

来源: BID

名称: 20992

链接:http://www.securityfocus.com/bid/20992

来源: BUGTRAQ

名称: 20061127 CVE-2006-5815: remote code execution in ProFTPD

链接:http://www.securityfocus.com/archive/1/archive/1/452760/100/200/threaded

来源: OPENPKG

名称: OpenPKG-SA-2006.035

链接:http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.035-proftpd.html

来源: MANDRIVA

名称: MDKSA-2006:217-1

链接:http://www.mandriva.com/security/advisories?name=MDKSA-2006:217-1

来源: MANDRIVA

名称: MDKSA-2006:217

链接:http://www.mandriva.com/security/advisories?name=MDKSA-2006:217

来源: GENTOO

名称: GLSA-200611-26

链接:http://www.gentoo.org/security/en/glsa/glsa-200611-26.xml

来源: VUPEN

名称: ADV-2006-4451

链接:http://www.frsirt.com/english/advisories/2006/4451

来源: DEBIAN

名称: DSA-1222

链接:http://www.debian.org/security/2006/dsa-1222

来源: SLACKWARE

名称: SSA:2006-335-02

链接:http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.502491

来源: SECTRACK

名称: 1017167

链接:http://securitytracker.com/id?1017167

来源: SECUNIA

名称: 23207

链接:http://secunia.com/advisories/23207

来源: SECUNIA

名称: 23184

链接:http://secunia.com/advisories/23184

来源: SECUNIA

名称: 23179

链接:http://secunia.com/advisories/23179

来源: SECUNIA

名称: 23174

链接:http://secunia.com/advisories/23174

来源: SECUNIA

名称: 23125

链接:http://secunia.com/advisories/23125

来源: SECUNIA

名称: 23069

链接:http://secunia.com/advisories/23069

来源: SECUNIA

名称: 23000

链接:http://secunia.com/advisories/23000

来源: SECUNIA

名称: 22821

链接:http://secunia.com/advisories/22821

来源: SECUNIA

名称: 22803

链接:http://secunia.com/advisories/22803

来源: MANDRIVA

名称: MDKSA-2006:217

链接:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:217

来源: bugs.proftpd.org

链接:http://bugs.proftpd.org/show_bug.cgi?id=2858

受影响实体

  • Proftpd_project Proftpd:1.3.0  
    <!--
    2000-1-1
    -->

补丁

    暂无