ProFTPD Buffer Overflow Vulnerability Allowing Arbitrary Code Execution and Denial-of-Service

A buffer overflow vulnerability has been identified in ProFTPD version 1.3.7a+dfsg-12+deb11u5. This vulnerability allows remote attackers to execute arbitrary code and can lead to a denial-of-service condition on the FTP service. The issue arises when a maliciously crafted message is sent to the ProFTPD service port, causing the FTP service to crash.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where ProFTPD is running. Additionally, it causes a denial-of-service condition by crashing the FTP service, disrupting file transfer operations.

Reproduction

The vulnerability can be reproduced by sending a specially crafted message to the ProFTPD service port. This can be done using a network tool or script that allows for the manipulation of the message content. The crafted message should exploit the buffer overflow vulnerability, leading to the execution of arbitrary code on the server.

Remediation

Users can upgrade to ProFTPD version 1.3.7a+dfsg-12+deb11u5 to address this vulnerability.