xorl %eax, %eax

CVE-2011-1575: Pure-FTPd STARTTLS Plaintext Command Injection

leave a comment »

This is similar to the previously discussed CVE-2011-0411. As we can read in the Pure-FTPd‘s website, the issue was fixed in 1.0.30 and later releases. The patched code was part of src/ftp_parser.c that you can see here:

void parser(void)
    char *arg;
#ifndef MINIMAL
    char *sitearg;
#ifdef WITH_RFC2640
    char *narg = NULL;
#ifdef WITH_TLS
        } else if (enforce_tls_auth > 0 &&
                   !strcmp(cmd, "auth") && !strcasecmp(arg, "tls")) {
            addreply_noformat(234, "AUTH TLS OK.");
            if (tls_cnx == NULL) {
                (void) tls_init_new_session();
            goto wayout;
        } else if (!strcmp(cmd, "pbsz")) {
        (void) 0;

That was patched to flush the commands after the initiation of the TLS session.

            if (tls_cnx == NULL) {
+               flush_cmd();
                (void) tls_init_new_session();

Written by xorl

May 2, 2011 at 20:54

Posted in vulnerabilities

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s