TippingPoint Zero Day Initiative

ProFTPD Response Pool Use-After-Free Remote Code Execution Vulnerability

ZDI-11-328: November 11th, 2011

CVSS Score

Affected Vendors

Affected Products

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the ProFTPd server. Authentication is required to exploit this vulnerability in order to have access to the ftp command set.

The specific flaw exists within how the server manages the response pool that is used to send responses from the server to the client. When handling an exceptional condition the application will fail to restore the original response pointer which will allow there to be more than one reference to the response pointer. The next time it is used, a memory corruption can be made to occur which can allow for code execution under the context of the application.

Vendor Response

ProFTPD has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline

    2011-10-28 - Vulnerability reported to vendor
    2011-11-11 - Coordinated public release of advisory


This vulnerability was discovered by: