Skip to content

Buffer Overflow

critical
troglobit published GHSA-wrpr-xw7q-9wvq Jan 5, 2020

Package

uftpd

Affected versions

< v2.11

Patched versions

v2.11

Description

Impact

There is a buffer overflow vulnerability in handle_PORT in ftpcmd.c that is caused by a buffer that is 16 bytes large being filled via sprintf() with user input based on the format specifier string %d.%d.%d.%d. The 16 byte size is correct for valid IPv4 addresses (len('255.255.255.255') == 16), but the format specifier %d allows more than 3 digits.

To reproduce this vulnerability, connect via netcat <ip> <port> and write to the FTP server socket the following and observe the child process spawned for the connection SIGABRT:

PORT 13371337,12341234,12345678,10102929,1,2

Patches

Fixed in v2.11.

Workarounds

Only possible workaround is to disable the FTP service until it can be udated to v2.11.

References

Reported by Aaron Esau.

For more information

If you have any questions or comments about this advisory, email Joachim Nilsson

CVE ID

CVE-2020-5204

Credits