cbcvebase.
CVE-2006-5815
published 2006-11-08

CVE-2006-5815: Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier allows remote attackers, probably authenticated, to cause a denial of service…

PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
74.25%
99.4th percentile
Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier allows remote attackers, probably authenticated, to cause a denial of service and execute arbitrary code, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."

Affected

5 ranges
VendorProductVersion rangeFixed in
debianproftpd-dfsg< proftpd-dfsg 1.3.0-15 (bookworm)proftpd-dfsg 1.3.0-15 (bookworm)
debianproftpd-dfsg< proftpd-dfsg 1.3.0-13 (bookworm)proftpd-dfsg 1.3.0-13 (bookworm)
debianproftpd-dfsg< proftpd-dfsg 1.3.0-16 (bookworm)proftpd-dfsg 1.3.0-16 (bookworm)
proftpd_projectproftpd<= 1.3.0a
proftpd_projectproftpd<= 1.3.0

Detection & IOCsextracted from sources · hover to see the quote

filename.message
filename250
pathsrc/support.c
commandCWD <dir2>
bytes
\x66\x81\xc2\x5e\x13\x52\xc3
  • Alert on FTP STOR of a file named '.message' containing the byte sequence 0x66 0x81 0xc2 0x5e 0x13 0x52 0xc3 (add $0x135e,%dx; push %edx; ret shellcode trampoline) in the file data.
  • Flag FTP sessions where a CWD command is issued into a directory whose name contains non-ASCII/binary bytes immediately after uploading a .message file — this is the trigger step for the sreplace stack overflow.
  • ·The exploit requires a writable directory on the target FTP server (default '/incoming') to upload the malicious .message file; servers without anonymous or authenticated write access are not directly exploitable via this path.
  • ·The stack-based overflow in sreplace is only reachable via pr_display_file starting from ProFTPD 1.3.0rc3; earlier stable versions (e.g., 1.2.10) cannot be reached via this vector.
  • ·CVE-2006-5815 was originally (erroneously) associated with CommandBufferSize off-by-two; the actual sreplace stack overflow is the correct vulnerability for this CVE.
  • ·Bad characters for the payload are null byte, newline, carriage return, and percent sign (0x00, 0x0a, 0x0d, 0x25); shellcode must avoid these bytes.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.