NSFOCUS绿盟科技

首页 -> 安全研究

安全研究

安全漏洞

ProFTPD mod_tls预认证远程缓冲区溢出漏洞

发布日期：2006-11-10
更新日期：2006-11-29

受影响系统：

ProFTPD Project ProFTPD 1.3.0a

描述：

BUGTRAQ  ID: 21326
CVE(CAN) ID: CVE-2006-6170

ProFTPD是一款开放源代码FTP服务程序。

ProFTPD的模块mod_tls在处理用户认证时存在缓冲溢出漏洞，远程攻击者可能利用此漏洞完全控制服务器。

ProFTPD的mod_tls模块的tls_x509_name_oneline()函数中存在远程溢出漏洞，允许远程未经认证的攻击者获得root用户权限。漏洞相关的代码如下：

contrib/mod_tls.c:
"""
static char *tls_x509_name_oneline(X509_NAME *x509_name) {
  static char buf[256] = {'\0'};

  /* If we are using OpenSSL 0.9.6 or newer, we want to use
* X509_NAME_print_ex()
   * instead of X509_NAME_oneline().
   */

#if OPENSSL_VERSION_NUMBER < 0x000906000L
  memset(&buf, '\0', sizeof(buf));
  return X509_NAME_oneline(x509_name, buf, sizeof(buf));
#else

  /* Sigh...do it the hard way. */
  BIO *mem = BIO_new(BIO_s_mem());
  char *data = NULL;
  long datalen = 0;
  int ok;

  if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE)))
[1]  datalen = BIO_get_mem_data(mem, &data);

  if (data) {
    memset(&buf, '\0', sizeof(buf));
[2] memcpy(buf, data, datalen);
    buf[datalen] = '\0';
    buf[sizeof(buf)-1] = '\0';

    BIO_free(mem);
    return buf;
  }

  BIO_free(mem);
  return NULL;
#endif /* OPENSSL_VERSION_NUMBER >= 0x000906000 */
}
"""

datalen参数的值是完全可控的（见[1]），因此在[2]行就可以用攻击者的数据覆盖buf缓冲区。

<*来源：Evgeny Legerov （aland@freeradius.org）

  链接：http://secunia.com/advisories/23141/
        http://marc.theaimsgroup.com/?l=bugtraq&m=116473977013602&w=2#-1
        http://security.gentoo.org/glsa/glsa-200611-26.xml
        http://www.debian.org/security/2006/dsa-1222
*>

建议：

厂商补丁：

Debian
------
Debian已经为此发布了一个安全公告（DSA-1222-1）以及相应补丁:
DSA-1222-1：New proftpd packages fix several vulnerabilities
链接：http://www.debian.org/security/2005/dsa-1222

补丁下载：
Source archives:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3.dsc
Size/MD5 checksum:      897 d4dea6caa9438bea9d260f20761393ec
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3.diff.gz
Size/MD5 checksum:   128340 4f14cee4723b725983eed3d7d9e7fe39
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10.orig.tar.gz
Size/MD5 checksum:   920495 7d2bc5b4b1eef459a78e55c027a4f3c4

Architecture independent components:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd-doc_1.2.10-15sarge3_all.deb
Size/MD5 checksum:   422614 c673d2a4e9db616bca66e8c2f992a95d

Alpha architecture:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_alpha.deb
Size/MD5 checksum:   444532 d4950ecc709597f04a379e4a3f5644f9
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_alpha.deb
Size/MD5 checksum:   200874 92481cca4bbbce0f0db4fb16ac0c53af
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_alpha.deb
Size/MD5 checksum:   457334 b730aa7d3ff1c08d08bca66168686626
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_alpha.deb
Size/MD5 checksum:   476906 15a84985231a886c2d9cfaa108edad31
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_alpha.deb
Size/MD5 checksum:   476588 3ae27f992a26986872cfc4e26af3add5

ARM architecture:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_arm.deb
Size/MD5 checksum:   373966 1c371d644b23ffa23ae4cdb847237048
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_arm.deb
Size/MD5 checksum:   188856 094b34ff2e629e4a2e34a40632130782
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_arm.deb
Size/MD5 checksum:   384130 3a073b4e2ce0a4c006b021bc2a70713c
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_arm.deb
Size/MD5 checksum:   399002 52a258d6db3529dc42f93b3377166f48
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_arm.deb
Size/MD5 checksum:   398846 010ff68a50710591d79e6791a36ebe4e

HP Precision architecture:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_hppa.deb
Size/MD5 checksum:   403768 625a4174453f9aae518fecf9e4f6cffd
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_hppa.deb
Size/MD5 checksum:   194534 d69950a0728249287a953efd0e256d95
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_hppa.deb
Size/MD5 checksum:   414946 26cd4464a72e49bf3dd7bae1e6bcb4c5
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_hppa.deb
Size/MD5 checksum:   431866 880875bdcf2aa45c40af333a205a9386
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_hppa.deb
Size/MD5 checksum:   431612 82c75ec629e6408d19f8b7f4e1704e0b

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_i386.deb
Size/MD5 checksum:   371322 3fa4ccac9c73bc8c19e075ed49f01a42
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_i386.deb
Size/MD5 checksum:   188924 2bdb4609055c6a77ef45e376f43bb6b8
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_i386.deb
Size/MD5 checksum:   381022 5cc5974e4124b09a5c3a7a04fc4c0dfb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_i386.deb
Size/MD5 checksum:   396780 1e05de59c612c3b59a0384c6b728909c
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_i386.deb
Size/MD5 checksum:   396546 e7e49a7c96f3c5f1a335bdce31b4a41d

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_ia64.deb
Size/MD5 checksum:   519752 379b681d8139096f30c07adaf360a258
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_ia64.deb
Size/MD5 checksum:   207072 6a7a86411c903cfe92848369d8939dc9
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_ia64.deb
Size/MD5 checksum:   535426 f6e1da6b7febf2b374ce3d9cf844596e
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_ia64.deb
Size/MD5 checksum:   562386 6b9476b33d3eb98e87cda796ef3e1cba
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_ia64.deb
Size/MD5 checksum:   562222 ddaf242f3d24e951b9578f2bf37ae4c7

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_m68k.deb
Size/MD5 checksum:   332616 7f28eb7a6612422159554511d20c565c
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_m68k.deb
Size/MD5 checksum:   187212 97853824e6e354d30d08e5d4f92f866a
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_m68k.deb
Size/MD5 checksum:   340948 7cb0f9de38603efd2becbaf8a767860d
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_m68k.deb
Size/MD5 checksum:   353236 b8afaa29deb9a2aaa5826fefd92ee051
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_m68k.deb
Size/MD5 checksum:   352866 dddab5e89fc109de3892f100d5ea702d

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_mips.deb
Size/MD5 checksum:   382502 88e5ef3fca660e28577a39db65f0743b
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_mips.deb
Size/MD5 checksum:   201698 9a79029722afde2e9f9881323f09f523
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_mips.deb
Size/MD5 checksum:   391960 847c19048ee9c921abbcedb0742be96d
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_mips.deb
Size/MD5 checksum:   406524 d89d533478c0e5f9997869122173e627
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_mips.deb
Size/MD5 checksum:   406246 f12661492861e6c6f94f5f2ae57318d4

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_mipsel.deb
Size/MD5 checksum:   384380 83f0858fa68da448e561f9cfd48fedab
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_mipsel.deb
Size/MD5 checksum:   201916 8a197d293f4c7d735bd0584ec6ec74ee
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_mipsel.deb
Size/MD5 checksum:   393456 45fb0f0a6f79be0ebab17ebf7305340f
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_mipsel.deb
Size/MD5 checksum:   409566 4d33f9e7c059949a27704379228b7119
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_mipsel.deb
Size/MD5 checksum:   409366 5ee8e0e4dc1c831a2f56ff92404ea1c8

PowerPC architecture:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_powerpc.deb
Size/MD5 checksum:   384536 67c443041e0f5fdc280952fe849f6905
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_powerpc.deb
Size/MD5 checksum:   195440 cf7b974f9f75e96ff9eb60afd64ceac0
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_powerpc.deb
Size/MD5 checksum:   395224 3ef2ae27f6234f181b2934f8656d47a0
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_powerpc.deb
Size/MD5 checksum:   412098 160500875d6d666fe89ff3590767f205
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_powerpc.deb
Size/MD5 checksum:   411734 baf2f4a518503428bd46c7528adf3ed0

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_s390.deb
Size/MD5 checksum:   379718 c33ac1f5e3afa17837d6b8a6b46173bc
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_s390.deb
Size/MD5 checksum:   193048 f1533436a3741501e67ca8a10781b274
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_s390.deb
Size/MD5 checksum:   390196 865bc00469365ae23db91d9a86ef201f
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_s390.deb
Size/MD5 checksum:   404046 022be9231922608c55613044285a367e
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_s390.deb
Size/MD5 checksum:   403780 a182f9bada4a850d9103f76a6024521a

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_sparc.deb
Size/MD5 checksum:   369766 1ebaaa6c12ee1db33142347ad7bd2256
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_sparc.deb
Size/MD5 checksum:   189086 370817d19ca97068c40263ebc64a4345
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_sparc.deb
Size/MD5 checksum:   379560 5d3c311d57939b9d6ccc262ad9226845
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_sparc.deb
Size/MD5 checksum:   394922 119cdba979f469fce53f1311d15b9ab1
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_sparc.deb
Size/MD5 checksum:   394722 ebb293c93ebceaa14edd1ceacc64a3d8

补丁安装方法：

1. 手工安装补丁包：

  首先，使用下面的命令来下载补丁软件：
  # wget url  (url是补丁下载链接地址)

  然后，使用下面的命令来安装补丁：
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包：

   首先，使用下面的命令更新内部数据库：
   # apt-get update

   然后，使用下面的命令安装更新软件包：
   # apt-get upgrade

ProFTPD Project
---------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.0a.tar.bz2

Gentoo
------
http://www.debian.org/security/2006/dsa-1222

浏览次数：5441
严重程度：0（网友投票）

本安全漏洞由绿盟科技翻译整理，版权所有，未经许可，不得转载
绿盟科技给您安全的保障

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客