[UNIX] ProFTPD ASCII File Remote Compromise Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 09/24/03

  • Next message: SecuriTeam: "[NEWS] ColdFusion Cross-Site Scripting Security Vulnerability (Default Error Page)" 
    To: list@securiteam.com
Date: 24 Sep 2003 11:02:15 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      ProFTPD ASCII File Remote Compromise Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    ISS X-Force has discovered a flaw in the ProFTPD UNIX FTP server. ProFTPD
    is a highly configurable FTP (File Transfer Protocol) server for UNIX that
    allows for per-directory access restrictions, easy configuration of
    virtual FTP servers, and support for multiple authentication mechanisms. A
    flaw exists in the ProFTPD component that handles incoming ASCII file
    transfers.

    DETAILS

    Affected Versions:
     * ProFTPD version 1.2.7
     * ProFTPD version 1.2.8
     * ProFTPD version 1.2.8rc1
     * ProFTPD version 1.2.8rc2
     * ProFTPD version 1.2.9rc1
     * ProFTPD version 1.2.9rc2

    Note: versions before version 1.2.7 may also be vulnerable.

    A vulnerability exists in the ProFTPD server that can be triggered by
    remote attackers when transferring files from the FTP server in ASCII
    mode. The attacker must have the ability to upload a file to the server,
    and then attempt to download the same file to trigger the vulnerability.

    The vulnerability occurs when a file is being transferred in ASCII mode.
    During a transfer of this type, file data is examined in 1024 byte chunks
    to check for newline (\n) characters. The translation of these newline
    characters is not handled correctly, and a buffer overflow can manifest if
    ProFTPD parses a specially crafted file.

    The ProFTPD daemon makes an effort to drop superuser privileges to limit
    the privilege level associated with any successful attack. However,
    X-Force has demonstrated that this security check can be bypassed, and
    superuser access can be gained by a remote attacker.

    Impact:
    An attacker capable of uploading files to the vulnerable system can
    trigger a buffer overflow and execute arbitrary code to gain complete
    control of the system. Attackers may use this vulnerability to destroy,
    steal, or manipulate data on vulnerable FTP sites.

    Workaround:
    Successful exploitation is not possible if attackers cannot upload files
    to a vulnerable FTP server. Where possible it is advisable to disable the
    ability for users to perform FTP uploads, either with file permissions or
    using ProFTPD configuration parameters:
    <Limit WRITE>
         DenyAll
    </Limit>

    Risk can also be mitigated by using configuration options that cause root
    privileges to be dropped altogether by the ProFTPD daemon (although this
    feature may disable certain ProFTPD functionality):
    RootRevoke on

    X-Force recommends that ProFTPD users upgrade to the patched version of
    ProFTPD when it becomes available.

    ADDITIONAL INFORMATION

    The information has been provided by ISS's X-Force.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] ColdFusion Cross-Site Scripting Security Vulnerability (Default Error Page)"

    Relevant Pages