Evgeny Legerov has released another ProFTPD vulnerability, this time in the X509 certificate handling. No CVE yet. See bug #154650 for the previous vulnerability. ***** Name: ProFTPD mod_tls pre-authentication buffer overflow Vendor: http://www.proftpd.org Release date: 28 Nov, 2006 Author: Evgeny Legerov <research_at_gleg.net> I. DESCRIPTION A remote buffer overflow vulnerability has been found in mod_tls module of ProFTPD server. The vulnerability could allow a remote un-authenticated attacker to gain root privileges. II. DETAILS Let's have a look at the code (ProFTPD version 1.3.0): contrib/mod_tls.c: """ static char *tls_x509_name_oneline(X509_NAME *x509_name) { static char buf[256] = {'\0'}; /* If we are using OpenSSL 0.9.6 or newer, we want to use * X509_NAME_print_ex() * instead of X509_NAME_oneline(). */ #if OPENSSL_VERSION_NUMBER < 0x000906000L memset(&buf, '\0', sizeof(buf)); return X509_NAME_oneline(x509_name, buf, sizeof(buf)); #else /* Sigh...do it the hard way. */ BIO *mem = BIO_new(BIO_s_mem()); char *data = NULL; long datalen = 0; int ok; if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE))) [1] datalen = BIO_get_mem_data(mem, &data); if (data) { memset(&buf, '\0', sizeof(buf)); [2] memcpy(buf, data, datalen); buf[datalen] = '\0'; buf[sizeof(buf)-1] = '\0'; BIO_free(mem); return buf; } BIO_free(mem); return NULL; #endif /* OPENSSL_VERSION_NUMBER >= 0x000906000 */ } """ The value of 'datalen' parameter is fully controlled by us (see [1]). On line [2] we will be able to overflow the 'buf' buffer with our data. III. VENDOR RESPONSE Vendor has been notified on Nov 16, 2006 but ProFTPD 1.3.0a is still vulnerable. IV. CREDIT Discovered by Evgeny Legerov. The vulnerability is a part of VulnDisco Pack Professional since Jan, 2006.
rolling this into bug #154650 for easier stability tracking. *** This bug has been marked as a duplicate of 154650 ***
hum mmm i disagree with the "duplicate" because this is not the same vuln, and, above all, this vuln is not patched yet. So bug 154650 might become fixed before this one has any patch from upstream. Indeed bug 154650 is already fixed on several arches.
OK sorry Matt, i haven't seen that Chtekk's brand new ebuild has just addressed the mod_tls issue *too*. *** This bug has been marked as a duplicate of 154650 ***