An out-of-bounds (OOB) read vulnerability has been detected in the
Development version - master branch (Feb 24, 2020)
OOB read in pure_strcmp (CVE-2020-9365)
pure_memcmp functions in
utils.c are affected by out-of-bounds read vulnerabilities.
As seen in this code, if the length of
s1 is greater than
s2 then the
for loop will do
len-1 iterations, where
len-1 > strlen(s2).
As a result, OOB reads occur from memory that is outside of the boundaries of the
pure_strcmp is called from:
pw_unix_check(when shadow password support is not enabled)
PureFTPD ASAN build instructions
CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" LDFLAGS="-fsanitize=address" ./configure --without-privsep --with-diraliases
Steps to reproduce:
- Compile PureFTPD using ASAN as mentioned above. Note that you need to comment
setrlimit(RLIMIT_DATA)in order to be able to use ASAN with PureFTPd (ASAN takes a lot of virtual memory) See the code
- Create a new user
- Run PureFTPd server as root, enabling one of the affected login modules. For example
# ./pure-ftpd -S pgsql:/home/antonio/Downloads/pureftdp/pureftpd-pgsql.conf -l unix
- Connect to the FTP server and log in with user
- PureFTPD should crash showing the ASAN trace.
This issue may allow attackers to leak sensitive information from PureFTPd process memory or crash the PureFTPD process itself.
One way this issue may be resolved is by explicitly ensuring that
s1 is not longer than
s2 via e.g.:
(strlen(s1) < strlen(s2)) ? strlen(s1) : strlen(s2)
Patch can be found here https://github.com/jedisct1/pure-ftpd/commit/36c6d268cb190282a2c17106acfd31863121b58e
Coordinated Disclosure Timeline
This report is subject to our coordinated disclosure policy.
- 02/24/2020: Report sent to Vendor
- 02/24/2020: Vendor acknowledged report
- 02/24/2020: Vendor published fix
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-YEAR-ID in any communication regarding this issue.