skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
March 12, 2020

GHSL-2020-002: out-of-bounds (OOB) read in ProFTPD

Antonio Morales


An out-of-bounds (OOB) read vulnerability has been detected in mod_cap.



Tested Version

Development version - master branch (Jan 10, 2020)


Out-of-bound read in getstateflags function

The cap_to_text() function on cap_text.c performs a call to getstateflags(caps, n) [line 255].

When getstateflags(cap_t caps, int capno) is called, capno is equal to 37 so isset_cap((__cap_s *)(&caps->set.inheritable),capno) will expand to &((__cap_s *)(&caps->set.inheritable))->_blk[(37)>>5], thus accessing caps->set.inheritable[1] which is outside of caps struct bounds (0x603000001ae4 to 0x603000001af7 in our example). Image 1: Debug information

As a result, OOB reads occur which result in access to memory outside of the boundaries of the caps cap_t struct instance.

Due to the relative offsets of the permitted and inheritable members in the caps struct, this bug does not affect set.effective or set.permitted. Image 2: Caps struct members

ProFTPD ASAN build instructions

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address,undefined -g" CXXFLAGS="-fsanitize=address,undefined -g" LDFLAGS="-fsanitize=address,undefined" ./configure
LDFLAGS="-fsanitize=address,undefined" make -j4

Steps to reproduce:

  1. Prepare a ProFTPD ASAN build.
  2. Run ProFTPD as root with the basic configuration and the following options: # ./proftpd -n -c /home/antonio/Downloads/GCOV-proftpd/sample-configurations/basic.conf -d 10 -X
  3. Log in to the server with a valid user (USER XXXX\r\nPASS XXXX\r\n)
  4. FTP server should crash with an associated ASAN trace.


This issue may lead to Post-Auth OOB-Read


The vulnerability was fixed by updating the libcap bundled, and to rely on the system libpcap. More information on this issue

Coordinated Disclosure Timeline

This report was subject to our coordinated disclosure policy.

Supporting Resources


This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).


You can contact the GHSL team at, please include the GHSL-YEAR-ID in any communication regarding this issue.