Use-after-free vulnerability in memory pools during data transfer #903
Comments
Castaglia
changed the title
Castaglia
added a commit
that referenced
this issue
Feb 18, 2020
Castaglia
added a commit
that referenced
this issue
Feb 18, 2020
…sue903 Issue #903: Ensure that we do not reuse already-destroyed memory pools
Castaglia
added a commit
that referenced
this issue
Feb 18, 2020
|
Fixes merged to master, and backported to the 1.3.6 branch. Thanks! |
|
Looks like this has been given a CVE: https://nvd.nist.gov/vuln/detail/CVE-2020-9273 |
Castaglia
added a commit
that referenced
this issue
Feb 22, 2020
…_do_ want
some memory pool, lest we regress the %{transfer-status} LogFormat
functionality.
Castaglia
added a commit
that referenced
this issue
Feb 22, 2020
…_do_ want
some memory pool, lest we regress the %{transfer-status} LogFormat
functionality.
Sashan
pushed a commit
to Sashan/proftpd
that referenced
this issue
Feb 25, 2020
Issue proftpd#903: Ensure that we do not reuse already-destroyed memory pools during data transfers. This patch has been cherry-picked and squashed from changesets below: a9749ca e845abc 2c5f569f3ba2a8a33109f89eadb65c9441cffdde
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This vulnerability was previously reported via email to security@proftpd.org and has been made public after the fix has been developed.
Credit
This issue was discovered and reported by GitHub Security Lab team member @antonio-morales (Antonio Morales).
Summary
A use-after-free vulnerability exists in ProFTPD. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
Product
ProFTPD
Tested Version
ProFTPD (development version)
Details
Use-after-free vulnerability in memory pool allocator
It is possible to corrupt the ProFTPd memory pool by interrupting current data transfer (PoC Exploit Demo Video.webm).
In our PoC, the program crashes on "alloc_pool" function (pool.c). This function executes the instruction first_avail = blok->h.first_avail.
As you can see, the right side operand of the assignment in pool.c:569 is p->last (Image1.png). However, the problem is that "p" is a corrupted pool (Image2.png).
The source of the problem comes from pcalloc call in netio.c:1066 (Image3.png). This function calls again to the "alloc_pool" function which calls to "new_block" to obtain a new freed memory block (Image4.png). But the memory block returned by "new_block" is referenced by the "p" pool.
So, in short, "p" is a dangling pointer due to an use-after-free vulnerability.
It's important to note that our tests have shown that this vulnerability can also lead to other vulnerabilities (such as OOB write), so it increases the severity of the vulnerability.
Impact
This issue may lead to Post-Auth RCE (maybe FTP anonymous users are also affected).
Disclosure Policy
This report is subject to a 90 day coordinated disclosure policy.
The disclosure deadline for the findings outlined in this report is: 2020-04-21
The text was updated successfully, but these errors were encountered: