An uninitialized pointer vulnerability has been detected in PureFTPd which results in out-of-bounds (OOB) reads. It could also allow an attacker to trigger a Denial of Service against PureFTPD.
Development version - master branch (Feb 7, 2020)
Uninitialized pointer vulnerability in diraliases linked-list (CVE-2020-9274)
A vulnerability has been detected in the way PureFTPD processes its
The source of the problem comes from the
init_aliases function in
diraliases.c See the code. In this function, the
next member of the last item in the linked list is not set to
As a result, when the
lookup_alias(const char *alias) or
print_aliases(void) functions are called, they fail to correctly detect the end of the linked-list and try to access a non-existent list member.
PureFTPd ASAN build instructions
CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" LDFLAGS="-fsanitize=address" ./configure --without-privsep --with-diraliases
Steps to reproduce:
- Compile PureFTPD using ASAN as mentioned above. Note that you need to comment
setrlimit(RLIMIT_DATA)to be able to use ASAN with PureFTPd (ASAN takes a lot of virtual memory) See the code
- Copy the provided alias configuration file into
- Run PureFTPD as root with the
- Connect to the FTP server and log in with a valid user and password
- Send the
- PureFTPD should crash
This issue may lead to an OOB read and post-auth DoS.
tail->next = NULL for the last item of the linked list. Patch information can be found here https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa
Coordinated Disclosure Timeline
This report is subject to our coordinated disclosure policy.
- 02/18/2020: Report sent to Vendor
- 02/18/2020: Vendor acknowledged report
- 02/18/2020: Vendor published fix
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-YEAR-ID in any communication regarding this issue.