CVE-2006-5815
published 2006-11-08CVE-2006-5815: Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier allows remote attackers, probably authenticated, to cause a denial of service…
PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
74.25%
99.4th percentile
Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier allows remote attackers, probably authenticated, to cause a denial of service and execute arbitrary code, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | proftpd-dfsg | < proftpd-dfsg 1.3.0-15 (bookworm) | proftpd-dfsg 1.3.0-15 (bookworm) |
| debian | proftpd-dfsg | < proftpd-dfsg 1.3.0-13 (bookworm) | proftpd-dfsg 1.3.0-13 (bookworm) |
| debian | proftpd-dfsg | < proftpd-dfsg 1.3.0-16 (bookworm) | proftpd-dfsg 1.3.0-16 (bookworm) |
| proftpd_project | proftpd | <= 1.3.0a | — |
| proftpd_project | proftpd | <= 1.3.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x66\x81\xc2\x5e\x13\x52\xc3
- →Alert on FTP STOR of a file named '.message' containing the byte sequence 0x66 0x81 0xc2 0x5e 0x13 0x52 0xc3 (add $0x135e,%dx; push %edx; ret shellcode trampoline) in the file data. ↗
- →Flag FTP sessions where a CWD command is issued into a directory whose name contains non-ASCII/binary bytes immediately after uploading a .message file — this is the trigger step for the sreplace stack overflow. ↗
- ·The exploit requires a writable directory on the target FTP server (default '/incoming') to upload the malicious .message file; servers without anonymous or authenticated write access are not directly exploitable via this path. ↗
- ·The stack-based overflow in sreplace is only reachable via pr_display_file starting from ProFTPD 1.3.0rc3; earlier stable versions (e.g., 1.2.10) cannot be reached via this vector. ↗
- ·CVE-2006-5815 was originally (erroneously) associated with CommandBufferSize off-by-two; the actual sreplace stack overflow is the correct vulnerability for this CVE. ↗
- ·Bad characters for the payload are null byte, newline, carriage return, and percent sign (0x00, 0x0a, 0x0d, 0x25); shellcode must avoid these bytes. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ProFTPD 1.3.0 memory corruption (EDB-16852 / Nessus ID 24602)
vuldb·2026-04-27·CVSS 10.0
CVE-2006-5815 [CRITICAL] ProFTPD 1.3.0 memory corruption (EDB-16852 / Nessus ID 24602)
A vulnerability described as problematic has been identified in ProFTPD 1.3.0. Affected is an unknown function. Such manipulation leads to memory corruption.
This vulnerability is uniquely identified as CVE-2006-5815. Local access is required to approach this attack. Moreover, an exploit is present.
Restrictive firewalling should be applied.
VulDB
ProFTPD 1.3.0 main.c CommandBufferSize memory corruption (EDB-16852 / Nessus ID 24602)
vuldb·2026-04-27·CVSS 10.0
CVE-2006-5815 [CRITICAL] ProFTPD 1.3.0 main.c CommandBufferSize memory corruption (EDB-16852 / Nessus ID 24602)
A vulnerability, which was classified as problematic, was found in ProFTPD 1.3.0. This impacts the function CommandBufferSize of the file main.c. Executing a manipulation can lead to memory corruption.
The identification of this vulnerability is CVE-2006-5815. The attack may be launched remotely. Furthermore, there is an exploit available.
Applying a patch is advised to resolve this issue.
GHSA
GHSA-9qxv-mv47-gw7g: Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2006-6170 [CRITICAL] GHSA-9qxv-mv47-gw7g: Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1
Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1.3.0a and earlier, and possibly other products, allows remote attackers to execute arbitrary code via a large data length argument, a different vulnerability than CVE-2006-5815.
GHSA
GHSA-fg3g-4994-3829: ** DISPUTED ** ProFTPD 1
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2006-6171 [CRITICAL] GHSA-fg3g-4994-3829: ** DISPUTED ** ProFTPD 1
** DISPUTED ** ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when CommandBufferSize is specified in the configuration file, which leads to an off-by-two buffer underflow. NOTE: in November 2006, the role of CommandBufferSize was originally associated with CVE-2006-5815, but this was an error stemming from a vague initial disclosure. NOTE: ProFTPD developers dispute this issue, saying that the relevant memory location is overwritten by assignment before further use within the affected function, so this is not a vulnerability.
GHSA
GHSA-q4h4-p4xh-74q7: Stack-based buffer overflow in the sreplace function in ProFTPD 1
ghsa_unreviewed·2022-05-01
CVE-2006-5815 [HIGH] CWE-119 GHSA-q4h4-p4xh-74q7: Stack-based buffer overflow in the sreplace function in ProFTPD 1
Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier allows remote attackers, probably authenticated, to cause a denial of service and execute arbitrary code, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."
OSV
CVE-2006-6171: ProFTPD 1
osv·2006-11-30·CVSS 10.0
CVE-2006-6171 [CRITICAL] CVE-2006-6171: ProFTPD 1
ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when CommandBufferSize is specified in the configuration file, which leads to an off-by-two buffer underflow. NOTE: in November 2006, the role of CommandBufferSize was originally associated with CVE-2006-5815, but this was an error stemming from a vague initial disclosure. NOTE: ProFTPD developers dispute this issue, saying that the relevant memory location is overwritten by assignment before further use within the affected function, so this is not a vulnerability
OSV
CVE-2006-6170: Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1
osv·2006-11-30·CVSS 10.0
CVE-2006-6170 [CRITICAL] CVE-2006-6170: Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1
Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1.3.0a and earlier, and possibly other products, allows remote attackers to execute arbitrary code via a large data length argument, a different vulnerability than CVE-2006-5815.
OSV
CVE-2006-5815: Stack-based buffer overflow in the sreplace function in ProFTPD 1
osv·2006-11-08·CVSS 10.0
CVE-2006-5815 [CRITICAL] CVE-2006-5815: Stack-based buffer overflow in the sreplace function in ProFTPD 1
Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier allows remote attackers, probably authenticated, to cause a denial of service and execute arbitrary code, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."
Debian
CVE-2006-5815: proftpd-dfsg - Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlie...
vendor_debian·2006·CVSS 10.0
CVE-2006-5815 [CRITICAL] CVE-2006-5815: proftpd-dfsg - Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlie...
Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier allows remote attackers, probably authenticated, to cause a denial of service and execute arbitrary code, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."
Scope: local
bookworm: resolved (fixed in 1.3.0-15)
bullseye: resolved (fixed in 1.3.0-15)
forky: resolved (fixed in 1.3.0-15)
sid: resolved (fixed in 1.3.0-15)
trixie: resolved (fixed in 1.3.0-15)
Debian
CVE-2006-6171: proftpd-dfsg - ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when Comm...
vendor_debian·2006·CVSS 10.0
CVE-2006-6171 [CRITICAL] CVE-2006-6171: proftpd-dfsg - ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when Comm...
ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when CommandBufferSize is specified in the configuration file, which leads to an off-by-two buffer underflow. NOTE: in November 2006, the role of CommandBufferSize was originally associated with CVE-2006-5815, but this was an error stemming from a vague initial disclosure. NOTE: ProFTPD developers dispute this issue, saying that the relevant memory location is overwritten by assignment before further use within the affected function, so this is not a vulnerability
Scope: local
bookworm: resolved (fixed in 1.3.0-13)
bullseye: resolved (fixed in 1.3.0-13)
forky: resolved (fixed in 1.3.0-13)
sid: resolved (fixed in 1.3.0-13)
trixie: resolved (fixed in 1.3.0-13)
Debian
CVE-2006-6170: proftpd-dfsg - Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as ...
vendor_debian·2006·CVSS 10.0
CVE-2006-6170 [CRITICAL] CVE-2006-6170: proftpd-dfsg - Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as ...
Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1.3.0a and earlier, and possibly other products, allows remote attackers to execute arbitrary code via a large data length argument, a different vulnerability than CVE-2006-5815.
Scope: local
bookworm: resolved (fixed in 1.3.0-16)
bullseye: resolved (fixed in 1.3.0-16)
forky: resolved (fixed in 1.3.0-16)
sid: resolved (fixed in 1.3.0-16)
trixie: resolved (fixed in 1.3.0-16)
No detection rules found.
Exploit-DB
ProFTPd 1.2 < 1.3.0 (Linux) - 'sreplace' Remote Buffer Overflow (Metasploit)
exploitdb·2011-01-09
CVE-2006-5815 ProFTPd 1.2 < 1.3.0 (Linux) - 'sreplace' Remote Buffer Overflow (Metasploit)
ProFTPd 1.2 'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)',
'Description' => %q{
This module exploits a stack-based buffer overflow in versions 1.2 through
1.3.0 of ProFTPD server. The vulnerability is within the "sreplace" function
within the "src/support.c" file.
The off-by-one heap overflow bug in the ProFTPD sreplace function has been
discovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit
this off-by-one bug via MKD command, but failed. We did not work on this bug
since then.
Actually, there are exists at least two bugs in sreplace function, one is the
mentioned off-by-one heap overflow bug the other is a stack-based buffer overflow
via 'sstrncpy(dst,src,negative argument)'.
We were unable to reach the "sreplace" stack bug on ProFTPD 1.2.10 stable
version,
Exploit-DB
ProFTPd 1.3.0 - 'sreplace' Remote Stack Overflow (Metasploit)
exploitdb·2006-11-27
CVE-2006-5815 ProFTPd 1.3.0 - 'sreplace' Remote Stack Overflow (Metasploit)
ProFTPd 1.3.0 - 'sreplace' Remote Stack Overflow (Metasploit)
---
# vd_proftpd.pm - Metasploit module for ProFTPD stack overflow
#
# Copyright (c) 2006 Evgeny Legerov
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS AC
Metasploit
ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
metasploit
ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
This module exploits a stack-based buffer overflow in versions 1.2 through 1.3.0 of ProFTPD server. The vulnerability is within the "sreplace" function within the "src/support.c" file. The off-by-one heap overflow bug in the ProFTPD sreplace function has been discovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit this off-by-one bug via MKD command, but failed. We did not work on this bug since then. Actually, there are exists at least two bugs in sreplace function, one is the mentioned off-by-one heap overflow bug the other is a stack-based buffer overflow via 'sstrncpy(dst,src,negative argument)'. We were unable to reach the "sreplace" stack bug on ProFTPD 1.2.10 stable version, but the version 1.3.0rc3 introduced s
arXiv
Exploitation Techniques and Defenses for Data-Oriented Attacks
arxiv_fulltext·2019-03-25
Exploitation Techniques and Defenses for Data-Oriented Attacks
## Abstract
Data-oriented attacks manipulate non-control data to alter a program's benign behavior without violating its control-flow integrity. It has been shown that such attacks can cause significant damage even in the presence of control-flow defense mechanisms. However, these threats have not been adequately addressed. In this SoK paper, we first map data-oriented exploits, including Data-Oriented Programming (DOP) attacks, to their assumptions/requirements and attack capabilities. We also compare known defenses against these attacks, in terms of approach, detection capabilities, overhead, and compatibility. Then, we experimentally assess the feasibility of a detection approach that is based on the Intel Processor Trace (PT) technology. PT only traces control flows, thus, is generall
arXiv
Extended Abstract: Mimicry Resilient Program Behavior Modeling with LSTM based Branch Models
arxiv_fulltext·2018-03-24
Extended Abstract: Mimicry Resilient Program Behavior Modeling with LSTM based Branch Models
Extended Abstract: Mimicry Resilient Program Behavior Modeling \ LSTM based Branch Models
Hayoon Yi11,
Gyuwan Kim1,21,
Jangho Lee1,
Sunwoo Ahn1,
Younghan Lee1,
Sungroh Yoon12,
Yunheung Paek12
1Dept. of Electrical and Computer Engineering, Seoul National University
2Search Solutions, Inc
Email: hyyi,kgwmath,ubuntu,swahn,yhlee,sryoon,[email protected]
1: Equal Contribution,
2: Corresponding Author
## Abstract
In the software design, protecting a computer system from a plethora of software attacks or malware in the wild has been increasingly important. One branch of research to detect the existence of attacks or malware, there has been much work focused on modeling the runtime behavior of a program. Stemming from the seminal work of Forrest et al., one of the main tools to model program
arXiv
HardScope: Thwarting DOP with Hardware-assisted Run-time Scope Enforcement
arxiv_fulltext·2018-03-12
HardScope: Thwarting DOP with Hardware-assisted Run-time Scope Enforcement
:
: Thwarting DOP attacks with Hardware-assisted Run-time Scope Enforcement
## Abstract
Widespread use of memory unsafe programming languages (e.g., C and C++)
leaves many systems vulnerable to memory corruption attacks.
A variety of defenses have been proposed to mitigate attacks that exploit memory errors to hijack the control flow of the code at run-time, e.g., (fine-grained) randomization or Control Flow Integrity.
However, recent work on data-oriented programming (DOP) demonstrated highly expressive (Turing-complete) attacks, even in the presence of these state-of-the-art defenses.
Although multiple real-world DOP attacks have been demonstrated, no efficient defenses are yet available.
We propose run-time scope enforcement ( ), a novel approach designed to efficiently mitigate all
Bugzilla
CVE-2006-5815: proftpd unspecified vulnerability
bugzilla·2006-11-09·CVSS 10.0
CVE-2006-5815 [CRITICAL] CVE-2006-5815: proftpd unspecified vulnerability
CVE-2006-5815: proftpd unspecified vulnerability
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5815
Very little information available at the moment.
Discussion:
Indeed... please keep me posted if you manage to get more information.
---
Gentoo person suggested, that this might be related to this.
Though I didn't give it a look... But it seema unlikely to me, because this
looks like related to a configuration file parsing bug.
http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.293&sortby=date
http://bugs.gentoo.org/show_bug.cgi?id=152473
I'm puzzled at all... did Evgeny report it in silence or not at all?
---
Aah, this is the line that is added:
cmd_buf_size = 512;
Buffer size limit was not set correctly in case CommandBufferSize had been
specified in the co
http://bugs.proftpd.org/show_bug.cgi?id=2858http://gleg.net/vulndisco_meta.shtmlhttp://secunia.com/advisories/22803http://secunia.com/advisories/22821http://secunia.com/advisories/23000http://secunia.com/advisories/23069http://secunia.com/advisories/23125http://secunia.com/advisories/23174http://secunia.com/advisories/23179http://secunia.com/advisories/23184http://secunia.com/advisories/23207http://securitytracker.com/id?1017167http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.502491http://www.debian.org/security/2006/dsa-1222http://www.gentoo.org/security/en/glsa/glsa-200611-26.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:217http://www.mandriva.com/security/advisories?name=MDKSA-2006:217-1http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.035-proftpd.htmlhttp://www.securityfocus.com/archive/1/452760/100/200/threadedhttp://www.securityfocus.com/bid/20992http://www.trustix.org/errata/2006/0066/http://www.trustix.org/errata/2006/0070http://www.vupen.com/english/advisories/2006/4451https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820https://exchange.xforce.ibmcloud.com/vulnerabilities/30147http://bugs.proftpd.org/show_bug.cgi?id=2858http://gleg.net/vulndisco_meta.shtmlhttp://secunia.com/advisories/22803http://secunia.com/advisories/22821http://secunia.com/advisories/23000http://secunia.com/advisories/23069http://secunia.com/advisories/23125http://secunia.com/advisories/23174http://secunia.com/advisories/23179http://secunia.com/advisories/23184http://secunia.com/advisories/23207http://securitytracker.com/id?1017167http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.502491http://www.debian.org/security/2006/dsa-1222http://www.gentoo.org/security/en/glsa/glsa-200611-26.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:217http://www.mandriva.com/security/advisories?name=MDKSA-2006:217-1http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.035-proftpd.htmlhttp://www.securityfocus.com/archive/1/452760/100/200/threadedhttp://www.securityfocus.com/bid/20992http://www.trustix.org/errata/2006/0066/http://www.trustix.org/errata/2006/0070http://www.vupen.com/english/advisories/2006/4451https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820https://exchange.xforce.ibmcloud.com/vulnerabilities/30147
2006-11-08
Published