bftpd Heap-Based Buffer Overflow Vulnerability in the expand_groups Function

A heap-based buffer overflow vulnerability has been identified in bftpd versions through 6.2. The issue arises in the expand_groups function within options.c, part of the Configuration File Handler component. The vulnerability is triggered by unsafe string concatenation that appends a comma to a buffer allocated by strdup, leading to a heap overflow. This flaw can be exploited locally by providing a malicious configuration file, and may also be reachable remotely in environments that allow untrusted configuration uploads or modifications.

Impact

Exploitation of this vulnerability causes controlled memory corruption, resulting in a process crash. However, under certain conditions, this memory corruption could be leveraged for arbitrary code execution, depending on the heap layout and security mitigations in place.

Reproduction

The vulnerability can be reproduced by compiling bftpd with AddressSanitizer enabled, which will detect and report the heap-based buffer overflow. After replacing the default configuration file with one crafted to exploit the vulnerability, bftpd can be launched in daemon mode. When the FTP server processes the USER command, the AddressSanitizer will report a heap buffer overflow error, causing the server to crash.