xorl %eax, %eax

CVE-2011-1575: Pure-FTPd STARTTLS Plaintext Command Injection

leave a comment »

This is similar to the previously discussed CVE-2011-0411. As we can read in the Pure-FTPd‘s website, the issue was fixed in 1.0.30 and later releases. The patched code was part of src/ftp_parser.c that you can see here:

void parser(void)
{
    char *arg;
#ifndef MINIMAL
    char *sitearg;
#endif
#ifdef WITH_RFC2640
    char *narg = NULL;
  ...
#ifdef WITH_TLS
        } else if (enforce_tls_auth > 0 &&
                   !strcmp(cmd, "auth") && !strcasecmp(arg, "tls")) {
            addreply_noformat(234, "AUTH TLS OK.");
            doreply();
            if (tls_cnx == NULL) {
                (void) tls_init_new_session();
            }
            goto wayout;
        } else if (!strcmp(cmd, "pbsz")) {
  ...
#else
        (void) 0;
#endif
    }
}

That was patched to flush the commands after the initiation of the TLS session.

            if (tls_cnx == NULL) {
+               flush_cmd();
                (void) tls_init_new_session();
            }

Written by xorl

May 2, 2011 at 20:54

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s