Skip to content

Use-after-free vulnerability in memory pools during data transfer #903

Closed
@antonio-morales

Description

@antonio-morales

This vulnerability was previously reported via email to security@proftpd.org and has been made public after the fix has been developed.

Credit

This issue was discovered and reported by GitHub Security Lab team member @antonio-morales (Antonio Morales).

Summary

A use-after-free vulnerability exists in ProFTPD. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.

Product

ProFTPD

Tested Version

ProFTPD (development version)

Details

Use-after-free vulnerability in memory pool allocator

It is possible to corrupt the ProFTPd memory pool by interrupting current data transfer (PoC Exploit Demo Video.webm).

In our PoC, the program crashes on "alloc_pool" function (pool.c). This function executes the instruction first_avail = blok->h.first_avail.

As you can see, the right side operand of the assignment in pool.c:569 is p->last (Image1.png). However, the problem is that "p" is a corrupted pool (Image2.png).

The source of the problem comes from pcalloc call in netio.c:1066 (Image3.png). This function calls again to the "alloc_pool" function which calls to "new_block" to obtain a new freed memory block (Image4.png). But the memory block returned by "new_block" is referenced by the "p" pool.

So, in short, "p" is a dangling pointer due to an use-after-free vulnerability.

It's important to note that our tests have shown that this vulnerability can also lead to other vulnerabilities (such as OOB write), so it increases the severity of the vulnerability.

Impact

This issue may lead to Post-Auth RCE (maybe FTP anonymous users are also affected).

Disclosure Policy

This report is subject to a 90 day coordinated disclosure policy.

The disclosure deadline for the findings outlined in this report is: 2020-04-21

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions