ProFTPD是一款流行的FTP服务程序。 ProFTPD Controls模块存在缓冲区溢出问题,本地攻击者可以利用漏洞提升特权获得ROOT权限。 问题存在于"Controls"模块中,这个是ProFTPD服务器的选项功能,必须在配置文件中激活。Controls是用于与独立运行的ProFTPD守护程序通信的模块。提供管理器实时更改守护进程行为而不需要重新启动守护程序的方法。问题代码在src/ctrls.c中的pr_ctrls_recv_request()函数中: ---------------------------------------------------- (Code from ProFTPD 1.3.0a, src/ctrls.c ) int pr_ctrls_recv_request(pr_ctrls_cl_t *cl) { pr_ctrls_t *ctrl = NULL, *next_ctrl = NULL; char reqaction[512] = {'\0'}, *reqarg = NULL; size_t reqargsz = 0; unsigned int nreqargs = 0, reqarglen = 0; . . . /* Next, read in the requested number of arguments. The client sends * the arguments in pairs: first the length of the argument, then the * argument itself. The first argument is the action, so get the first * matching pr_ctrls_t (if present), and add the remaining arguments to it. */ (1) if (read(cl->cl_fd, &reqarglen, sizeof(unsigned int)) < 0) { pr_signals_unblock(); return -1; } (2) if (read(cl->cl_fd, reqaction, reqarglen) <...
ProFTPD是一款流行的FTP服务程序。 ProFTPD Controls模块存在缓冲区溢出问题,本地攻击者可以利用漏洞提升特权获得ROOT权限。 问题存在于"Controls"模块中,这个是ProFTPD服务器的选项功能,必须在配置文件中激活。Controls是用于与独立运行的ProFTPD守护程序通信的模块。提供管理器实时更改守护进程行为而不需要重新启动守护程序的方法。问题代码在src/ctrls.c中的pr_ctrls_recv_request()函数中: ---------------------------------------------------- (Code from ProFTPD 1.3.0a, src/ctrls.c ) int pr_ctrls_recv_request(pr_ctrls_cl_t *cl) { pr_ctrls_t *ctrl = NULL, *next_ctrl = NULL; char reqaction[512] = {'\0'}, *reqarg = NULL; size_t reqargsz = 0; unsigned int nreqargs = 0, reqarglen = 0; . . . /* Next, read in the requested number of arguments. The client sends * the arguments in pairs: first the length of the argument, then the * argument itself. The first argument is the action, so get the first * matching pr_ctrls_t (if present), and add the remaining arguments to it. */ (1) if (read(cl->cl_fd, &reqarglen, sizeof(unsigned int)) < 0) { pr_signals_unblock(); return -1; } (2) if (read(cl->cl_fd, reqaction, reqarglen) < 0) { pr_signals_unblock(); return -1; } . . . } ---------------------------------------------------- 在(1)中整数'reqarglen'完全由攻击者控制,也就是它冲control套接字直接读取,这允许攻击者控制(2)中读取多少'reqaction'变量,可触发缓冲区溢出。此漏洞允许本地攻击者访问控制功能而获得ROOT特权。 ProFTPD Project ProFTPD 1.3 a ProFTPD Project ProFTPD 1.3 OpenPKG OpenPKG E1.0-Solid MandrakeSoft Linux Mandrake 2007.0 x86_64 MandrakeSoft Linux Mandrake 2007.0 升级程序: ProFTPD Project ProFTPD 1.3 * ProFTPD Project proftpd-1.3.0a.tar.bz2 <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.0a.tar.bz2" target="_blank">ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.0a.tar.bz2</a>
