An uninitialized pointer vulnerability has been detected in PureFTPd which results in out-of-bounds (OOB) reads. It could also allow an attacker to trigger a Denial of Service against PureFTPD.
PureFTPd
Development version - master branch (Feb 7, 2020)
A vulnerability has been detected in the way PureFTPD processes its diraliases
linked-list.
The source of the problem comes from the init_aliases
function in diraliases.c
See the code. In this function, the next
member of the last item in the linked list is not set to NULL
.
As a result, when the lookup_alias(const char *alias)
or print_aliases(void)
functions are called, they fail to correctly detect the end of the linked-list and try to access a non-existent list member.
CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" LDFLAGS="-fsanitize=address" ./configure --without-privsep --with-diraliases
make -j4
setrlimit(RLIMIT_DATA)
to be able to use ASAN with PureFTPd (ASAN takes a lot of virtual memory) See the code/[CONFDIR]/pureftpd-dir-aliases
(usually /etc/pureftpd-dir-aliases
)-S
parameterSITE alias
commandThis issue may lead to an OOB read and post-auth DoS.
Add tail->next = NULL
for the last item of the linked list. Patch information can be found here https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa
This report is subject to our coordinated disclosure policy.
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
You can contact the GHSL team at securitylab@github.com
, please include the GHSL-YEAR-ID
in any communication regarding this issue.