On Sun, Oct 19, 2008 at 01:46:05AM +0100, Ian Beckwith wrote: > Package: proftpd-basic > Version: 1.3.1-14 > Severity: grave > Tags: security > Justification: user security hole > > Hi, > > proftpd in debian is vulnerable to CVE-2008-4242: > > > ProFTPD 1.3.1 interprets long commands from an FTP client as > > multiple commands, which allows remote attackers to conduct > > cross-site request forgery (CSRF) attacks and execute arbitrary FTP > > commands via a long ftp:// URI that leverages an existing session > > from the FTP client implementation in a web browser. > > See: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4242 > > http://securityreason.com/achievement_securityalert/56 > > http://bugs.proftpd.org/show_bug.cgi?id=3115 > > There is a patch in proftpd CVS (src/netio.c 1.34 and src/main.c > 1.345), but it will need backporting to the version in Debian. > > The equivalent bugs in ftpd and ftpd-ssl are #500278 and #500518, but > the codebase has diverged enough that the patches aren't applicable. > > To test for the vulnerability: > > $ perl -e 'print "A"x1022,"QUIT\n"' | nc localhost 21 > 220 ProFTPD 1.3.1 Server (Debian) [10.1.1.2] > 500 > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > not understood > 221 Goodbye. > > > This splits the command-line and then incorrectly honours the QUIT. > > Ian. >
Ah thanks for detailed the report, indeed it requires a specific lengths for the exploiting buffer, that motivates the reason for having not matched it when tried some weeks ago. It indeed applies also to 1.3.0 on etch. Ok, let's patch... -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
