SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#405348

ProFTPD fails to properly handle newline characters when transferring files in ASCII mode

Overview

ProFTPD is a popular free File Transfer Protocol (FTP) server package. A vulnerability in its handling of files transferred in ASCII mode can allow an attacker to compromise the system running the server.

I. Description

The File Transfer Protocol (FTP) described in RFC959 defines operations for several data types, including ASCII. For this mode of operation, RFC959 states:

    ... The sender converts the data from an internal character representation to the standard 8-bit NVT-ASCII representation (see the Telnet specification). The receiver will convert the data from the standard form to his own internal form.

    In accordance with the NVT standard, the <CRLF> sequence should be used where necessary to denote the end of a line of text. (See the discussion of file structure at the end of the Section on Data Representation and Storage.)...


Researchers at ISS have discovered a flaw in the way that the ProFTP server handles this conversion that results in a vulnerability. According to ISS's bulletin:
    A vulnerability exists in the ProFTPD server that can be triggered by remote attackers when transferring files from the FTP server in ASCII mode. The attacker must have the ability to upload a file to the server, and then attempt to download the same file to trigger the vulnerability.

    The vulnerability occurs when a file is being transferred in ASCII mode. During a transfer of this type, file data is examined in 1024 byte chunks to check for newline (\n) characters. The translation of these newline characters is not handled correctly, and a buffer overflow can manifest if ProFTPD parses a specially crafted file.

II. Impact

A remote attacker may be able to execute arbitrary code on the vulnerable server with elevated privileges.


NOTE: Exploits for this vulnerability are publicly available and the CERT/CC has received reports of active reconnaissance for vulnerable systems.

III. Solution

Apply a patch from the vendor


Patches have been released to address this vulnerability. Please see the vendors section of this document for more details.
Workarounds

Disable uploads in the ProFTP daemon. Since exploitation of the vulnerability requires an attacker to place a specially crafted file on the vulnerable system, disabling uploads will prevent them from being able to do this via FTP. Note that this step will not prevent exploitation if the attacker is able to upload the file into the FTP area via some other means, such as ssh or a web form.

Systems Affected

VendorStatusDate Updated
Conectiva LinuxVulnerable7-Oct-2003
Gentoo LinuxVulnerable7-Oct-2003
MandrakeSoftVulnerable7-Oct-2003
OpenPKGVulnerable7-Oct-2003
ProFTPDVulnerable7-Oct-2003
SlackwareVulnerable7-Oct-2003
Trustix Secure LinuxVulnerable7-Oct-2003
TurboLinuxVulnerable7-Oct-2003

References


http://xforce.iss.net/xforce/alerts/id/154
http://www.secunia.com/advisories/9829/

Credit

This vulnerability was discovered and researched by Mark Dowd from Internet Security Systems' (ISS) X-Force. The information was originally published by ISS.

This document was written by Chad R Dougherty based on information published by ISS.

Other Information

Date Public09/23/2003
Date First Published10/29/2003 12:21:12 PM
Date Last Updated10/29/2003
CERT Advisory 
CVE NameCAN-2003-0831
US-CERT Technical Alerts 
Metric35.27
Document Revision9

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader