ProFTPD ftpshut Shutdown Message Format String

2005-07-26T07:58:14
ID OSVDB:18270
Type osvdb
Reporter Sean(infamous41md@hotpop.com)
Modified 2005-07-26T07:58:14

Description

Vulnerability Description

ProFTPD contains a flaw that may allow a malicious user to modify memory buffers. The issue is triggered when the %C, %R, and %U variables are used in the shutdown message configuration (ftpshut). A rogue user, if allowed to create directories, can name one in such a way that the %C option will print data in memory buffers. The two other options which might be vulnerable to the same abuse are user name, and remote host name.

Solution Description

Upgrade to version 1.3.0rc2 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Do not use variables for shutdown commands in the ProFTPD configuration file.

Short Description

ProFTPD contains a flaw that may allow a malicious user to modify memory buffers. The issue is triggered when the %C, %R, and %U variables are used in the shutdown message configuration (ftpshut). A rogue user, if allowed to create directories, can name one in such a way that the %C option will print data in memory buffers. The two other options which might be vulnerable to the same abuse are user name, and remote host name.

References:

Secunia Advisory ID:16181 Secunia Advisory ID:16349 Secunia Advisory ID:16288 Secunia Advisory ID:16448 Secunia Advisory ID:16681 Related OSVDB ID: 18271 Other Advisory URL: http://frontal1.mandriva.com/security/advisories?name=MDKSA-2005:140 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200508-02.xml Other Advisory URL: http://lists.trustix.org/pipermail/tsl-announce/2005-August/000335.html Other Advisory URL: http://www.debian.org/security/2005/dsa-795 Other Advisory URL: http://www.proftpd.org/docs/RELEASE_NOTES-1.3.0rc2 CVE-2005-2390