March 12, 2020

GHSL-2020-002: out-of-bounds (OOB) read in ProFTPD

Antonio Morales

Summary

An out-of-bounds (OOB) read vulnerability has been detected in mod_cap.

Product

ProFTPD

Tested Version

Development version - master branch (Jan 10, 2020)

Details

Out-of-bound read in getstateflags function

The cap_to_text() function on cap_text.c performs a call to getstateflags(caps, n) [line 255].

When getstateflags(cap_t caps, int capno) is called, capno is equal to 37 so isset_cap((__cap_s *)(&caps->set.inheritable),capno) will expand to &((__cap_s *)(&caps->set.inheritable))->_blk[(37)>>5], thus accessing caps->set.inheritable[1] which is outside of caps struct bounds (0x603000001ae4 to 0x603000001af7 in our example). Image 1: Debug information

As a result, OOB reads occur which result in access to memory outside of the boundaries of the caps cap_t struct instance.

Due to the relative offsets of the permitted and inheritable members in the caps struct, this bug does not affect set.effective or set.permitted. Image 2: Caps struct members

ProFTPD ASAN build instructions

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address,undefined -g" CXXFLAGS="-fsanitize=address,undefined -g" LDFLAGS="-fsanitize=address,undefined" ./configure
LDFLAGS="-fsanitize=address,undefined" make -j4

Steps to reproduce:

  1. Prepare a ProFTPD ASAN build.
  2. Run ProFTPD as root with the basic configuration and the following options: # ./proftpd -n -c /home/antonio/Downloads/GCOV-proftpd/sample-configurations/basic.conf -d 10 -X
  3. Log in to the server with a valid user (USER XXXX\r\nPASS XXXX\r\n)
  4. FTP server should crash with an associated ASAN trace.

Impact

This issue may lead to Post-Auth OOB-Read

Remediation

The vulnerability was fixed by updating the libcap bundled, and to rely on the system libpcap. More information on this issue

Coordinated Disclosure Timeline

This report was subject to our coordinated disclosure policy.

  • 01/10/2020: Report sent to Vendor
  • 01/21/2020: Vendor acknowledged report
  • 02/03/2020: Vendor proposed fixes
  • 02/04/2020: Fixes reviewed and verified
  • 02/18/2020: Vendor published fix

Supporting Resources

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-YEAR-ID in any communication regarding this issue.