漏洞信息详情
ProFTPD mod_tls预认证远程缓冲区溢出漏洞
- CNNVD编号:CNNVD-200611-482
- 危害等级: 超危
- CVE编号: CVE-2006-6170
- 漏洞类型: 缓冲区溢出
- 发布时间: 2006-11-30
- 威胁类型: 远程
- 更新时间: 2006-11-30
- 厂 商: proftpd_project
- 漏洞来源: Evgeny Legerov ala...
漏洞简介
ProFTPD是一款开放源代码FTP服务程序。
ProFTPD的模块mod_tls在处理用户认证时存在缓冲溢出漏洞,远程攻击者可能利用此漏洞完全控制服务器。
ProFTPD的mod_tls模块的tls_x509_name_oneline()函数中存在远程溢出漏洞,允许远程未经认证的攻击者获得root用户权限。漏洞相关的代码如下:
contrib/mod_tls.c:
\"\"\"
static char *tls_x509_name_oneline(X509_NAME *x509_name) {
static char buf[256] = {\'\'\0\'\'};
/* If we are using OpenSSL 0.9.6 or newer, we want to use
* X509_NAME_print_ex()
* instead of X509_NAME_oneline().
*/
#if OPENSSL_VERSION_NUMBER < 0x000906000L
memset( &buf, \'\'\0\'\', sizeof(buf));
return X509_NAME_oneline(x509_name, buf, sizeof(buf));
#else
/* Sigh...do it the hard way. */
BIO *mem = BIO_new(BIO_s_mem());
char *data = NULL;
long datalen = 0;
int ok;
if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE)))
[1] datalen = BIO_get_mem_data(mem, &data);
if (data) {
memset( &buf, \'\'\0\'\', sizeof(buf));
[2] memcpy(buf, data, datalen);
buf[datalen] = \'\'\0\'\';
buf[sizeof(buf)-1] = \'\'\0\'\';
BIO_free(mem);
return buf;
}
BIO_free(mem);
return NULL;
#endif /* OPENSSL_VERSION_NUMBER >= 0x000906000 */
}
\"\"\"
datalen参数的值是完全可控的(见[1]),因此在[2]行就可以用攻击者的数据覆盖buf缓冲区。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
http://www.debian.org/security/2005/dsa-1222
参考网址
来源: bugzilla.redhat.com
链接:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820
来源: BUGTRAQ
名称: 20061128 ProFTPD mod_tls pre-authentication buffer overflow
链接:http://www.securityfocus.com/archive/1/archive/1/452872/100/0/threaded
来源: BUGTRAQ
名称: 20061121 Re: [ MDKSA-2006:217 ] - Updated proftpd packages fix vulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/452228/100/100/threaded
来源: VUPEN
名称: ADV-2006-4745
链接:http://www.frsirt.com/english/advisories/2006/4745
来源: SECUNIA
名称: 23141
链接:http://secunia.com/advisories/23141
来源: FULLDISC
名称: 20061128 ProFTPD mod_tls pre-authentication buffer overflow
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050935.HTML
来源: MISC
链接:http://elegerov.blogspot.com/2006/10/do-you-remember-2-years-old-overflow.HTML
来源: XF
名称: proftpd-modtls-bo(30554)
链接:http://xforce.iss.net/xforce/xfdb/30554
来源: TRUSTIX
名称: 2006-0066
链接:http://www.trustix.org/errata/2006/0066
来源: BID
名称: 21326
链接:http://www.securityfocus.com/bid/21326
来源: BUGTRAQ
名称: 20061129 Re: ProFTPD mod_tls pre-authentication buffer overflow
链接:http://www.securityfocus.com/archive/1/archive/1/452993/100/100/threaded
来源: MANDRIVA
名称: MDKSA-2006:217-1
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2006:217-1
来源: GENTOO
名称: GLSA-200611-26
链接:http://www.gentoo.org/security/en/glsa/glsa-200611-26.xml
来源: DEBIAN
名称: DSA-1222
链接:http://www.debian.org/security/2006/dsa-1222
来源: SLACKWARE
名称: SSA:2006-335-02
链接:http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.502491
来源: SECUNIA
名称: 23207
链接:http://secunia.com/advisories/23207
来源: SECUNIA
名称: 23184
链接:http://secunia.com/advisories/23184
来源: SECUNIA
名称: 23179
链接:http://secunia.com/advisories/23179
来源: SECUNIA
名称: 23174
链接:http://secunia.com/advisories/23174
受影响实体
- Proftpd_project Proftpd:1.3.0a
补丁
暂无
评论