ASA-2019-00590 – ProFTPD: Pre-authentication remote denial-of-service


Allele Security Alert

ASA-2019-00590

Identifier(s)

ASA-2019-00590, CVE-2019-18217

Title

Pre-authentication remote denial-of-service

Vendor(s)

The ProFTPD Project

Product(s)

ProFTPD

Affected version(s)

ProFTPD version 1.3.7rc before 1.3.7rc2
ProFTPD version 1.3.6 before 1.3.6b

Fixed version(s)

ProFTPD version 1.3.7rc2
ProFTPD version 1.3.6b

Proof of concept

Unknown

Description

An unauthenticated attacker can trigger an infinite loop by sending a malformed network packet due to an incorrect handling of too long commands. The issue in the network IO causes a child process that handles the client connection to consume 100% CPU.

Technical details

If errno is 7 (E2BIG) due to a too long command and the EOF is reached, read() function will always return 0 and will be called indefinitely due to the continue statement:

src/main.c:
...
    if (cmd_buflen < 0) {
      if (errno == E2BIG) {
        /* The client sent a too-long command which was ignored; give
         * them another chance?
         */
        continue;
      }
...

Credits

Stephan Zeisberg

Reference(s)

Remote denial-of-service due to issue in network IO handling
https://github.com/proftpd/proftpd/issues/846

Issue #846: Handle the case where a client tries to send too-large commands
https://github.com/proftpd/proftpd/commit/13fe9462787b9a551152162f46f1641d65fe4df4

Issue #846: Handle the case where a client tries to send too-large commands
https://github.com/proftpd/proftpd/commit/518dc1a6e486291fa4f13d2caff0a8aec52d093e

NEWS
https://github.com/proftpd/proftpd/blob/v1.3.7rc2/NEWS

RELEASE_NOTES
https://github.com/proftpd/proftpd/blob/v1.3.7rc2/RELEASE_NOTES

RELEASE_NOTES-1.3.6b
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.6b

NEWS-1.3.6b
http://www.proftpd.org/docs/NEWS-1.3.6b

CVE-2019-18217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18217

CVE-2019-18217
https://nvd.nist.gov/vuln/detail/CVE-2019-18217

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 22, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.