An out-of-bounds (OOB) read vulnerability has been detected in
Development version - master branch (Jan 10, 2020)
Out-of-bound read in
cap_to_text() function on
cap_text.c performs a call to
getstateflags(caps, n) [line 255].
getstateflags(cap_t caps, int capno) is called,
capno is equal to
isset_cap((__cap_s *)(&caps->set.inheritable),capno) will expand to
&((__cap_s *)(&caps->set.inheritable))->_blk[(37)>>5], thus accessing
caps->set.inheritable which is outside of
caps struct bounds (
0x603000001af7 in our example). Image 1: Debug information
As a result, OOB reads occur which result in access to memory outside of the boundaries of the
cap_t struct instance.
Due to the relative offsets of the
inheritable members in the
caps struct, this bug does not affect
set.permitted. Image 2: Caps struct members
ProFTPD ASAN build instructions
CC="clang" CXX="clang++" CFLAGS="-fsanitize=address,undefined -g" CXXFLAGS="-fsanitize=address,undefined -g" LDFLAGS="-fsanitize=address,undefined" ./configure
LDFLAGS="-fsanitize=address,undefined" make -j4
Steps to reproduce:
- Prepare a ProFTPD ASAN build.
- Run ProFTPD as root with the basic configuration and the following options:
# ./proftpd -n -c /home/antonio/Downloads/GCOV-proftpd/sample-configurations/basic.conf -d 10 -X
- Log in to the server with a valid user (
USER XXXX\r\nPASS XXXX\r\n)
- FTP server should crash with an associated ASAN trace.
This issue may lead to Post-Auth OOB-Read
The vulnerability was fixed by updating the libcap bundled, and to rely on the system libpcap. More information on this issue
Coordinated Disclosure Timeline
This report was subject to our coordinated disclosure policy.
- 01/10/2020: Report sent to Vendor
- 01/21/2020: Vendor acknowledged report
- 02/03/2020: Vendor proposed fixes
- 02/04/2020: Fixes reviewed and verified
- 02/18/2020: Vendor published fix
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-YEAR-ID in any communication regarding this issue.