[VIM] ProFTPD issues clarification

Nikns Siankin nikns at secure.lv
Thu Nov 30 09:59:19 EST 2006


If interested:
http://elegerov.blogspot.com/


On Thu, Nov 30, 2006 at 09:42:06AM -0500, Steven M. Christey wrote:
>
>The recent ProFTPD disclosures have introduced a number of errors or
>inconsistencies from different sources, but it looks like ProFTPD and the
>distros have sorted it out.  See below; I consulted with vendor-sec and
>ProFTPD to clear this up.  Note that mod_tls is a third party module.
>
>- Steve
>
>
>======================================================
>Name: CVE-2006-5815
>Status: Candidate
>URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815
>Reference: MISC:http://gleg.net/vulndisco_meta.shtml
>Reference: CONFIRM:http://bugs.proftpd.org/show_bug.cgi?id=2858
>Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820
>Reference: DEBIAN:DSA-1218
>Reference: URL:http://www.debian.org/security/2006/dsa-1218
>Reference: MANDRIVA:MDKSA-2006:217
>Reference: URL:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:217
>Reference: OPENPKG:OpenPKG-SA-2006.035
>Reference: URL:http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.035-proftpd.html
>Reference: BID:20992
>Reference: URL:http://www.securityfocus.com/bid/20992
>Reference: FRSIRT:ADV-2006-4451
>Reference: URL:http://www.frsirt.com/english/advisories/2006/4451
>Reference: SECTRACK:1017167
>Reference: URL:http://securitytracker.com/id?1017167
>Reference: SECUNIA:22803
>Reference: URL:http://secunia.com/advisories/22803
>Reference: SECUNIA:22821
>Reference: URL:http://secunia.com/advisories/22821
>Reference: SECUNIA:23000
>Reference: URL:http://secunia.com/advisories/23000
>Reference: SECUNIA:23069
>Reference: URL:http://secunia.com/advisories/23069
>Reference: XF:proftpd-code-execution(30147)
>Reference: URL:http://xforce.iss.net/xforce/xfdb/30147
>
>Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0
>and earlier, allows remote attackers to cause a denial of service, as
>demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."
>
>
>======================================================
>Name: CVE-2006-6170
>Status: Candidate
>URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6170
>Reference: BUGTRAQ:20061121 Re: [ MDKSA-2006:217 ] - Updated proftpd packages fix vulnerabilities
>Reference: URL:http://www.securityfocus.com/archive/1/archive/1/452228/100/100/threaded
>Reference: BUGTRAQ:20061128 ProFTPD mod_tls pre-authentication buffer overflow
>Reference: URL:http://www.securityfocus.com/archive/1/archive/1/452872/100/0/threaded
>Reference: FULLDISC:20061128 ProFTPD mod_tls pre-authentication buffer overflow
>Reference: URL:http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050935.html
>Reference: MISC:http://elegerov.blogspot.com/2006/10/do-you-remember-2-years-old-overflow.html
>Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820
>Reference: FRSIRT:ADV-2006-4745
>Reference: URL:http://www.frsirt.com/english/advisories/2006/4745
>Reference: SECUNIA:23141
>Reference: URL:http://secunia.com/advisories/23141
>
>Buffer overflow in the tls_x509_name_oneline function in the mod_tls
>module, as used in ProFTPD 1.3.0a and earlier, and possibly other
>products, allows remote attackers to execute arbitrary code via a
>large data length argument, a different vulnerability than
>CVE-2006-5815.
>
>
>======================================================
>Name: CVE-2006-6171
>Status: Candidate
>URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6171
>Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820
>Reference: MISC:http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.293&sortby=date
>
>** DISPUTED **
>
>ProFTPD 1.3.0a and earlier does not properly set the buffer size limit
>when CommandBufferSize is specified in the configuration file, which
>leads to an off-by-two buffer underflow.  NOTE: in November 2006, the
>role of CommandBufferSize was originally associated with
>CVE-2006-5815, but this was an error stemming from an initial vague
>disclosure.  NOTE: ProFTPD developers dispute this issue, saying that
>the relevant memory location is overwritten by assignment before
>further use within the affected function, so this is not a
>vulnerability.
>
>


More information about the VIM mailing list