| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Nov 2006 17:22:30 +0300
From: research@...g.net
To: Mark Wadham <mark.wadham@...ti.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: ProFTPD mod_tls pre-authentication buffer
overflow
Hi,
> Hi
>
> Can i get this straight, vendor was notified on the 16th of November,
> but this vulnerability has been part of VulnDisco since Jan 2006? Is
> that actually correct? This was known about ten months ago but not
> disclosed until now?
Absolutely correct.
ProFTPD sreplace bug has been part of VulnDisco since Dec, 2005.
> Mark
>
> research@...g.net wrote:
> > Name: ProFTPD mod_tls pre-authentication buffer overflow
> > Vendor: http://www.proftpd.org
> > Release date: 28 Nov, 2006
> > Author: Evgeny Legerov <research@...g.net>
> >
> > I. DESCRIPTION
> >
> > A remote buffer overflow vulnerability has been found in mod_tls module of
> > ProFTPD server.
> > The vulnerability could allow a remote un-authenticated attacker to gain
> root
> > privileges.
> >
> > II. DETAILS
> >
> > Let's have a look at the code (ProFTPD version 1.3.0):
> >
> > contrib/mod_tls.c:
> > """
> > static char *tls_x509_name_oneline(X509_NAME *x509_name) {
> > static char buf[256] = {'\0'};
> >
> > /* If we are using OpenSSL 0.9.6 or newer, we want to use
> > * X509_NAME_print_ex()
> > * instead of X509_NAME_oneline().
> > */
> >
> > #if OPENSSL_VERSION_NUMBER < 0x000906000L
> > memset(&buf, '\0', sizeof(buf));
> > return X509_NAME_oneline(x509_name, buf, sizeof(buf));
> > #else
> >
> > /* Sigh...do it the hard way. */
> > BIO *mem = BIO_new(BIO_s_mem());
> > char *data = NULL;
> > long datalen = 0;
> > int ok;
> >
> > if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE)))
> > [1] datalen = BIO_get_mem_data(mem, &data);
> >
> > if (data) {
> > memset(&buf, '\0', sizeof(buf));
> > [2] memcpy(buf, data, datalen);
> > buf[datalen] = '\0';
> > buf[sizeof(buf)-1] = '\0';
> >
> > BIO_free(mem);
> > return buf;
> > }
> >
> > BIO_free(mem);
> > return NULL;
> > #endif /* OPENSSL_VERSION_NUMBER >= 0x000906000 */
> > }
> > """
> >
> > The value of 'datalen' parameter is fully controlled by us (see [1]).
> > On line [2] we will be able to overflow the 'buf' buffer with our data.
> >
> > III. VENDOR RESPONSE
> >
> > Vendor has been notified on Nov 16, 2006 but ProFTPD 1.3.0a is still
> vulnerable.
> >
> > IV. CREDIT
> >
> > Discovered by Evgeny Legerov.
> >
> > The vulnerability is a part of VulnDisco Pack Professional since Jan, 2006.
> >
> >
> >
> >
> >
>
>
> --
> Mark Wadham
> e: mark.wadham@...ti.net t: +44 (0)20 8315 5800 f: +44 (0)20 8315 5801
> Areti Internet Ltd., http://www.areti.net/
>
> ===================================================================
> Areti Internet Ltd: BS EN ISO 9001:2000
> Providing corporate Internet solutions for more than 10 years.
> ===================================================================
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
Regards,
Evgeny Legerov
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists