A use-after-free vulnerability exists in ProFTPD. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
Development version - master branch (Jan 22, 2020)
It is possible to corrupt the ProFTPd memory pool by interrupting current data transfer (PoC Exploit Demo Video.webm). This can be done for example, by sending an interrupt order to the command channel while a transfer is active in the data channel.
In our PoC, the program crashes on the
alloc_pool function (
pool.c) when executing
first_avail = blok->h.first_avail.
The source of the problem comes from the
pcalloc call in
netio.c:1066 (See Image 3). This function calls the
alloc_pool function again which in turn calls
new_block to obtain a new freed memory block (See Image 4). But the memory block returned by
new_block is still referenced by the
The problem is that
new_block function is not concurrently-secure, and under certain circumstances, the
new_block function can return as a free block a block already present in the pool, causing the corruption of the pool list.
So, in short,
p is a dangling pointer due to an use-after-free vulnerability.
It's important to note that our tests show that this vulnerability can also lead to other primitives such as OOB writes, which increases the severity of the vulnerability.
CC="clang" CXX="clang++" CFLAGS="-fsanitize=address,undefined -g" CXXFLAGS="-fsanitize=address,undefined -g" LDFLAGS="-fsanitize=address,undefined" ./configure
LDFLAGS="-fsanitize=address,undefined" make -j4
Compressed_Dir.tar.gzdir in their home folder.
ASAN_OPTIONS=verbosity=3,detect_leaks=0,abort_on_error=1,debug=true,check_initialization_order=true,detect_stack_use_after_return=true,strict_string_checks=true,detect_invalid_pointer_pairs=2 ./proftpd -n -c basic.conf -d 10 -X
telnet 127.0.0.1 21 < test.txt
This issue may lead to Post-Auth RCE.
The issue has been fixed here https://github.com/proftpd/proftpd/commit/929d6c5a107ad92705555a87c386abd8bdce5d0d
This report is subject to our coordinated disclosure policy.
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-2020-009 in any communication regarding this issue.