Vulnerability CVE-2006-5815

Vulnerability Name:

CVE-2006-5815 (CCN-30147)

Assigned:

2006-11-07

Published:

2006-11-07

Updated:

2018-10-17

Summary:

Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier allows remote attackers, probably authenticated, to cause a denial of service and execute arbitrary code, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."
An off-by-one string manipulation flaw in ProFTPD's sreplace() function exists allowing a remote attacker to execute arbitrary code.

CVSS v3 Severity:

10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
8.3 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
8.3 High (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-119

Vulnerability Consequences:

Gain Access

References:

Source: CCN
Type: BugTraq Mailing List, Mon Nov 27 2006 - 10:37:30 CST
CVE-2006-5815: remote code execution in ProFTPD

Source: CCN
Type: Full-Disclosure Mailing List, Mon Nov 27 2006 - 17:19:43 CST
ProFTPD remote buffer overflow vulnerability

Source: CONFIRM
Type: UNKNOWN
http://bugs.proftpd.org/show_bug.cgi?id=2858

Source: MITRE
Type: CNA
CVE-2006-5815

Source: MISC
Type: UNKNOWN
http://gleg.net/vulndisco_meta.shtml

Source: CCN
Type: SourceForge.net Repository
[proftp] Diff of /proftpd/src/main.c

Source: CCN
Type: SA22803
ProFTPD "sreplace()" Buffer Overflow Vulnerability

Source: SECUNIA
Type: Vendor Advisory
22803

Source: CCN
Type: SA22821
ProFTPD "CommandBufferSize" Denial of Service Vulnerability

Source: SECUNIA
Type: Vendor Advisory
22821

Source: SECUNIA
Type: Vendor Advisory
23000

Source: SECUNIA
Type: Vendor Advisory
23069

Source: SECUNIA
Type: Vendor Advisory
23125

Source: SECUNIA
Type: Vendor Advisory
23174

Source: SECUNIA
Type: Vendor Advisory
23179

Source: SECUNIA
Type: Vendor Advisory
23184

Source: SECUNIA
Type: Vendor Advisory
23207

Source: CCN
Type: SECTRACK ID: 1017167
ProFTPD sreplace() Off-by-one Bug Lets Remote Users Execute Arbitrary Code

Source: SECTRACK
Type: UNKNOWN
1017167

Source: SLACKWARE
Type: UNKNOWN
SSA:2006-335-02

Source: DEBIAN
Type: UNKNOWN
DSA-1222

Source: DEBIAN
Type: DSA-1222
proftpd -- several vulnerabilities

Source: CCN
Type: GLSA-200611-26
ProFTPD: Remote execution of arbitrary code

Source: GENTOO
Type: UNKNOWN
GLSA-200611-26

Source: CCN
Type: GLEG Ltd. Web site
VulnDisco Pack for Metasploit

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2006:217

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2006:217-1

Source: CCN
Type: OpenPKG-SA-2006.035
ProFTPD

Source: OPENPKG
Type: UNKNOWN
OpenPKG-SA-2006.035

Source: CCN
Type: OSVDB ID: 30267
ProFTPD src/support.c sreplace() Function Remote Overflow

Source: CCN
Type: OSVDB ID: 30660
ProFTPD CommandBufferSize Option cmd_loop() Function DoS

Source: CCN
Type: OSVDB ID: 30719
mod_tls Module for ProFTPD tls_x509_name_oneline Function Remote Overflow

Source: CCN
Type: ProFTPD Web site
The ProFTPD Project: Home

Source: BUGTRAQ
Type: UNKNOWN
20061127 CVE-2006-5815: remote code execution in ProFTPD

Source: BID
Type: UNKNOWN
20992

Source: CCN
Type: BID-20992
ProFTPD SReplace Remote Buffer Overflow Vulnerability

Source: TRUSTIX
Type: UNKNOWN
2006-0066

Source: TRUSTIX
Type: UNKNOWN
2006-0070

Source: CCN
Type: TLSA-2006-41
proftpd denial of service attack

Source: VUPEN
Type: Vendor Advisory
ADV-2006-4451

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820

Source: XF
Type: UNKNOWN
proftpd-sreplace-bo(30147)

Source: XF
Type: UNKNOWN
proftpd-code-execution(30147)

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [01-09-2011]

Source: CCN
Type: Rapid7 Vulnerability and Exploit Database [11-26-2006]
ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)

Vulnerable Configuration:

Configuration 1:

cpe:/a:proftpd_project:proftpd:*:*:*:*:*:*:*:* (Version <= 1.3.0)

Configuration CCN 1:

cpe:/a:proftpd:proftpd:1.2.0:rc2:*:*:*:*:*:*

OR cpe:/a:proftpd:proftpd:1.2.0:rc3:*:*:*:*:*:*

OR cpe:/a:proftpd:proftpd:1.2.0:rc1:*:*:*:*:*:*

OR cpe:/a:proftpd:proftpd:1.3.0:*:*:*:*:*:*:*

AND

cpe:/a:openpkg:openpkg:current:*:*:*:*:*:*:*

OR cpe:/o:gentoo:linux:-:*:*:*:*:*:*:*

OR cpe:/o:turbolinux:turbolinux:8:*:*:*:server:*:*:*

OR cpe:/o:turbolinux:turbolinux:10:*:*:*:server:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2006:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2006::x86-64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:113176	P	proftpd-1.3.6e-1.10 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106598	P	proftpd-1.3.6e-1.10 on GA media (Moderate)	2021-10-01
oval:org.debian:def:1222	V	several vulnerabilities	2013-01-21

BACK