March 12, 2020

GHSL-2020-032: out-of-bounds (OOB) read vulnerability in PureFTPd

Antonio Morales

Summary

An out-of-bounds (OOB) read vulnerability has been detected in the pure_strcmp function.

Product

PureFTPd

Tested Version

Development version - master branch (Feb 24, 2020)

Details

OOB read in pure_strcmp (CVE-2020-9365)

The pure_strcmp and pure_memcmp functions in utils.c are affected by out-of-bounds read vulnerabilities.

As seen in this code, if the length of s1 is greater than s2 then the for loop will do len-1 iterations, where len-1 > strlen(s2).

As a result, OOB reads occur from memory that is outside of the boundaries of the s2 array.

Note that pure_strcmp is called from:

  • pw_mysql_check
  • pw_pgsql_check
  • pw_unix_check (when shadow password support is not enabled)

PureFTPD ASAN build instructions

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" LDFLAGS="-fsanitize=address" ./configure --without-privsep --with-diraliases
make -j4

Steps to reproduce:

  1. Compile PureFTPD using ASAN as mentioned above. Note that you need to comment setrlimit(RLIMIT_DATA) in order to be able to use ASAN with PureFTPd (ASAN takes a lot of virtual memory) See the code
  2. Create a new user fuzzing with password fuzzing.
  3. Run PureFTPd server as root, enabling one of the affected login modules. For example # ./pure-ftpd -S pgsql:/home/antonio/Downloads/pureftdp/pureftpd-pgsql.conf -l unix
  4. Connect to the FTP server and log in with user fuzzing and password fuzzing
  5. PureFTPD should crash showing the ASAN trace.

Impact

This issue may allow attackers to leak sensitive information from PureFTPd process memory or crash the PureFTPD process itself.

Remediation

One way this issue may be resolved is by explicitly ensuring that s1 is not longer than s2 via e.g.:

(strlen(s1) < strlen(s2)) ? strlen(s1) : strlen(s2)

Patch can be found here https://github.com/jedisct1/pure-ftpd/commit/36c6d268cb190282a2c17106acfd31863121b58e

Coordinated Disclosure Timeline

This report is subject to our coordinated disclosure policy.

  • 02/24/2020: Report sent to Vendor
  • 02/24/2020: Vendor acknowledged report
  • 02/24/2020: Vendor published fix

Supporting Resources

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-YEAR-ID in any communication regarding this issue.