ProFTPD sreplace() stack overflow
|10||(AV:N/AC:L/Au:N/C:C/I:C/A:C)||November 10, 2006||January 24, 2007||February 13, 2015|
ProFTPD releases prior to Nov 27, 2006 are susceptible to a stack-based buffer overflow which could allow an attacker to execute arbitrary code. The vulnerability relies on the sreplace() function, which is used by ProFTPD to expand built-in tokens into meaningful strings (such as the current working directory, a user name, etc.). The most common attack vector for this vulnerability is with the DisplayFirstChdir directive, which is enabled by default in most ProFTPD installations. This directive specifies a filename (usually ".message") which is processed automatically when a user creates a directory and executes a CHDIR to it for the first time. If the file specified by the DisplayFirstChdir directive is transferred to the directory (via a PUT command), ProFTPD will read the file automatically and pass the data to the vulnerable sreplace() function.
Free Nexpose Download
Discover, prioritize, and remediate security risks today!
- URL: http://bugs.proftpd.org/show_bug.cgi?id=2858
- URL: http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:217
- URL: http://gleg.net/vulndisco_meta.shtml
- URL: http://www.frsirt.com/english/advisories/2006/4451
- URL: http://www.mandriva.com/security/advisories?name=MDKSA-2006:217-1
- URL: http://www.securityfocus.com/archive/1/archive/1/452760/100/200/threaded
- URL: http://www.trustix.org/errata/2006/0066/
- URL: http://www.trustix.org/errata/2006/0070
- URL: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820