March 12, 2020

GHSL-2020-025: OOB read and DoS in PureFTPd

Antonio Morales

Summary

An uninitialized pointer vulnerability has been detected in PureFTPd which results in out-of-bounds (OOB) reads. It could also allow an attacker to trigger a Denial of Service against PureFTPD.

Product

PureFTPd

Tested Version

Development version - master branch (Feb 7, 2020)

Details

Uninitialized pointer vulnerability in diraliases linked-list (CVE-2020-9274)

A vulnerability has been detected in the way PureFTPD processes its diraliases linked-list.

The source of the problem comes from the init_aliases function in diraliases.c See the code. In this function, the next member of the last item in the linked list is not set to NULL.

As a result, when the lookup_alias(const char *alias) or print_aliases(void) functions are called, they fail to correctly detect the end of the linked-list and try to access a non-existent list member.

PureFTPd ASAN build instructions

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" LDFLAGS="-fsanitize=address" ./configure --without-privsep --with-diraliases
make -j4

Steps to reproduce:

  1. Compile PureFTPD using ASAN as mentioned above. Note that you need to comment setrlimit(RLIMIT_DATA) to be able to use ASAN with PureFTPd (ASAN takes a lot of virtual memory) See the code
  2. Copy the provided alias configuration file into /[CONFDIR]/pureftpd-dir-aliases (usually /etc/pureftpd-dir-aliases)
  3. Run PureFTPD as root with the -S parameter
  4. Connect to the FTP server and log in with a valid user and password
  5. Send the SITE alias command
  6. PureFTPD should crash

Impact

This issue may lead to an OOB read and post-auth DoS.

Remediation

Add tail->next = NULL for the last item of the linked list. Patch information can be found here https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa

Coordinated Disclosure Timeline

This report is subject to our coordinated disclosure policy.

  • 02/18/2020: Report sent to Vendor
  • 02/18/2020: Vendor acknowledged report
  • 02/18/2020: Vendor published fix

Supporting Resources

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-YEAR-ID in any communication regarding this issue.