Input validation error in PureFTPd Pure-FTPd

1) Input validation error

EUVDB-ID: #VU32849

Risk: Low

CVSSv3.1: 1.4 [CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2011-0418

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote #AU# to perform service disruption.

The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows remote authenticated users to cause a denial of service (memory consumption) via a crafted FTP STAT command.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pure-FTPd: 1.0.1 - 1.0.31

External links

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c#rev1.28
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.27&r2=1.28&f=h
http://securityreason.com/achievement_securityalert/97
http://securityreason.com/securityalert/8228
http://www.mandriva.com/security/advisories?name=MDVSA-2011:094
http://www.pureftpd.org/project/pure-ftpd/news
http://www.securityfocus.com/bid/47671
http://www.vupen.com/english/advisories/2011/1273
http://bugzilla.redhat.com/show_bug.cgi?id=704283

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.