Multiple format string vulnerabilities in ProFTPD before 1.3.0rc2 allow attackers to cause a denial of service or obtain sensitive information via (1) certain inputs to the shutdown message from ftpshut, or (2) the SQLShowInfo mod_sql directive.

The ProFTPD release notes states :

sean <infamous42md at hotpop.com> found two format string vulnerabilities, one in mod_sql's SQLShowInfo directive, and one involving the 'ftpshut' utility. Both can be considered low risk, as they require active involvement on the part of the site administrator in order to be exploited.

These vulnerabilities could potentially lead to information disclosure, a denial-of-server situation, or execution of arbitrary code with the permissions of the user running ProFTPD.

Two format string vulnerabilities were discovered in ProFTPD. The first exists when displaying a shutdown message containin the name of the current directory. This could be exploited by a user who creates a directory containing format specifiers and sets the directory as the current directory when the shutdown message is being sent.

The second exists when displaying response messages to the cleint using information retreived from a database using mod_sql. Note that mod_sql support is not enabled by default, but the contrib source file has been patched regardless.

The updated packages have been patched to correct these problems.

infamous42md reported that proftpd suffers from two format string vulnerabilities. In the first, a user with the ability to create a directory could trigger the format string error if there is a proftpd shutdown message configured to use the '%C', '%R', or '%U' variables.
In the second, the error is triggered if mod_sql is used to retrieve messages from a database and if format strings have been inserted into the database by a user with permission to do so.

The remote host is affected by the vulnerability described in GLSA-200508-02 (ProFTPD: Format string vulnerabilities)

     'infamous42md' reported that ProFTPD is vulnerable to format     string vulnerabilities when displaying a shutdown message containing     the name of the current directory, and when displaying response     messages to the client using information retrieved from a database     using mod_sql.
  Impact :

    A remote attacker could create a directory with a malicious name     that would trigger the format string issue if specific variables are     used in the shutdown message, potentially resulting in a Denial of     Service or the execution of arbitrary code with the rights of the user     running the ProFTPD server. An attacker with control over the database     contents could achieve the same result by introducing malicious     messages that would trigger the other format string issue when used in     server responses.
  Workaround :

    Do not use the '%C', '%R', or '%U' in shutdown messages, and do     not set the 'SQLShowInfo' directive.

The remote host is using ProFTPD, a free FTP server for Unix and Linux.

According to its banner, the version of ProFTPD installed on the remote host suffers from multiple format string vulnerabilities, one involving the 'ftpshut' utility and the other in mod_sql's 'SQLShowInfo' directive. Exploitation of either requires involvement on the part of a site administrator and can lead to information disclosure, denial of service, and even a compromise of the affected system.

The remote host is using ProFTPD, a free FTP server for Unix and Linux.  According to its banner, the version of ProFTPD installed on the remote host suffers from multiple format string vulnerabilities, one involving the 'ftpshut' utility and the other in mod_sql's 'SQLShowInfo' directive.  Exploitation of either requires involvement on the part of a site administrator and can lead to information disclosure, denial of service, and even a compromise of the affected system.

ID	Name	Product	Family	Severity
21507	FreeBSD : proftpd -- format string vulnerabilities (c28f4705-043f-11da-bc08-0001020eed82)	Nessus	FreeBSD Local Security Checks	medium
19897	Mandrake Linux Security Advisory : proftpd (MDKSA-2005:140)	Nessus	Mandriva Local Security Checks	medium
19565	Debian DSA-795-2 : proftpd - potential code execution	Nessus	Debian Local Security Checks	medium
19364	GLSA-200508-02 : ProFTPD: Format string vulnerabilities	Nessus	Gentoo Local Security Checks	medium
19302	ProFTPD < 1.3.0rc2 Multiple Remote Format Strings	Nessus	FTP	medium
3113	ProFTPD < 1.3.0rc2 Multiple Format Strings	Nessus Network Monitor	FTP Servers	high

Detections

Analytics

CVE-2005-2390

high

Tenable Plugins

medium

medium

medium

medium

medium

high