Description
This vulnerability was previously reported via email to security@proftpd.org and has been made public after the fix has been developed.
Credit
This issue was discovered and reported by GitHub Security Lab team member @antonio-morales (Antonio Morales).
Summary
A use-after-free vulnerability exists in ProFTPD. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
Product
ProFTPD
Tested Version
ProFTPD (development version)
Details
Use-after-free vulnerability in memory pool allocator
It is possible to corrupt the ProFTPd memory pool by interrupting current data transfer (PoC Exploit Demo Video.webm).
In our PoC, the program crashes on "alloc_pool" function (pool.c). This function executes the instruction first_avail = blok->h.first_avail.
As you can see, the right side operand of the assignment in pool.c:569 is p->last (Image1.png). However, the problem is that "p" is a corrupted pool (Image2.png).
The source of the problem comes from pcalloc call in netio.c:1066 (Image3.png). This function calls again to the "alloc_pool" function which calls to "new_block" to obtain a new freed memory block (Image4.png). But the memory block returned by "new_block" is referenced by the "p" pool.
So, in short, "p" is a dangling pointer due to an use-after-free vulnerability.
It's important to note that our tests have shown that this vulnerability can also lead to other vulnerabilities (such as OOB write), so it increases the severity of the vulnerability.
Impact
This issue may lead to Post-Auth RCE (maybe FTP anonymous users are also affected).
Disclosure Policy
This report is subject to a 90 day coordinated disclosure policy.
The disclosure deadline for the findings outlined in this report is: 2020-04-21