Internet Security Systems Security Advisory September 23, 2003 ProFTPD ASCII File Remote Compromise Vulnerability Synopsis: ISS X-Force has discovered a flaw in the ProFTPD Unix FTP server. ProFTPD is a highly configurable FTP (File Transfer Protocol) server for Unix that allows for per-directory access restrictions, easy configuration of virtual FTP servers, and support for multiple authentication mechanisms. A flaw exists in the ProFTPD component that handles incoming ASCII file transfers. Impact: An attacker capable of uploading files to the vulnerable system can trigger a buffer overflow and execute arbitrary code to gain complete control of the system. Attackers may use this vulnerability to destroy, steal, or manipulate data on vulnerable FTP sites. Affected Versions: ProFTPD 1.2.7 ProFTPD 1.2.8 ProFTPD 1.2.8rc1 ProFTPD 1.2.8rc2 ProFTPD 1.2.9rc1 ProFTPD 1.2.9rc2 Description: A vulnerability exists in the ProFTPD server that can be triggered by remote attackers when transferring files from the FTP server in ASCII mode. The attacker must have the ability to upload a file to the server, and then attempt to download the same file to trigger the vulnerability. The vulnerability occurs when a file is being transferred in ASCII mode. During a transfer of this type, file data is examined in 1024 byte chunks to check for newline (\n) characters. The translation of these newline characters is not handled correctly, and a buffer overflow can manifest if ProFTPD parses a specially crafted file. The ProFTPD daemon makes an effort to drop superuser privileges to limit the privilege level associated with any successful attack. However, X-Force has demonstrated that this security check can be bypassed, and superuser access can be gained by a remote attacker. Recommendations: For identification of potentially vulnerable systems, Internet Security Systems has provided the following assessment checks: Internet Scanner XPU 7.6/6.35 ProftpdAsciiXferNewlineBo - (http://xforce.iss.net/xforce/xfdb/12200) For Dynamic Threat Protection, Internet Security Systems recommends applying a Virtual Patch for the ProFTPD vulnerability. Employ the following protection techniques through ISS' Dynamic Threat Protection platform. The following updates have already been made available. RealSecure Network/Proventia A Series XPU 21.1 FTP_ProFTPD_Translate_Overflow - (http://xforce.iss.net/xforce/xfdb/12200) RealSecure Server XPU 21.1 FTP_ProFTPD_Translate_Overflow - (http://xforce.iss.net/xforce/xfdb/12200) For Manual Protection, ISS has offered the following recommendations: Successful exploitation is not possible if attackers cannot upload files to a vulnerable FTP server. Where possible it is advisable to disable the ability for users to perform FTP uploads, either with file permissions or using ProFTPD configuration parameters: <Limit WRITE> DenyAll </Limit> Risk can also be mitigated by using configuration options which cause root privileges to be dropped altogether by the ProFTPD daemon (although this feature may disable certain ProFTPD functionality): RootRevoke on X-Force recommends that ProFTPD users upgrade to the patched version of ProFTPD when it becomes available. Additional Information: The ProFTPD Project http://www.proftpd.org Credit: This vulnerability was discovered and researched by Mark Dowd of the ISS X-Force. ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved worldwide. This document is not to be edited or altered in any way without the express written consent of Internet Security Systems, Inc. If you wish to reprint the whole or any part of this document, please email xforce@iss.net for permission. You may provide links to this document from your web site, and you may make copies of this document in accordance with the fair use doctrine of the U.S. copyright laws. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc.
*** Bug 29475 has been marked as a duplicate of this bug. ***
-- quote from bug #29475 The source code for the 1.2.7, 1.2.8, 1.2.9rc1, and 1.2.9rc2 releases on our FTP server has been patched, and new MD5 checksums and PGP signatures posted. All current users of ProFTPD are strongly urged to upgrade to one of these patched distributions. -- what we need at this point is to download one of xforces proftpd tarballs and diff -Nru it out to our own. Create a patch, roll a new proftpd and issue a GLSA Any takers? on getting us the needed patches? (comon you know you want to) If none I'll diff them out in 8-10 hours from now.
23 Sep 2003; Daniel Ahlberg <aliz@gentoo.org> proftpd-1.2.9_rc2.ebuild: Security update Oh its fixed in portage already. Thanks aliz. Please send a GLSA when ready.
Maybe I miss something but I think there is a problem with this update. I dont use 1.2.9rc2 ebuild, I leave emerge to decide which one to use (and it choses the 1.2.9rc1 one by default). I have changed mirrors (using ibiblio.org as rsync mirror and "US mirror" as the download mirror). I ran "emerge sync" then emerge proftpd. The tarball in the /usr/portage/distfiles for proftpd 1.2.9rc1 DOES NOT have the patch/fix for the security problem mentioned here. I have checked the ebuild and I dont see any patch applied on the source at compile/emerge time. Unless I am doing something wrong I think this is a big issue (the proftpd problem has gone public 5 days ago...). PS: yes, if I specifiy emerge to merge 1.2.9rc2 (giving full path to the ebuild file) it seems to download 1.2.9rc2p tarball from proftpd.org which is fixed Thanks
*** Bug 29878 has been marked as a duplicate of this bug. ***
marked stable on x86, sent mail to gentoo-dev requesting testing on other arches. vaiper@g.o relayed the mail to appropriate arch herds. ( ~sparc ~hppa ~alpha ~ppc ) need testing. Arch herds please test and mark stable when ready. ACCEPT_KEYWORDS="arch ~arch" emerge --nodeps '>=net-ftp/proftpd-1.2.9_rc2'
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-16 (proftpd) was sent to gentoo-announce@gentoo.org, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
changing resolution to FIXED
I must say that I do not agree marking 1.2.9rc2 ebuild stable and installed by default on "emerge proftpd". 1.2.9rc2 is NOT stable (as beeing a release candidate), here is just one very nasty bug with it: http://bugs.proftpd.org/show_bug.cgi?id=2183 Either add the patch which fixes the problem and make another ebuild for 1.2.9rc2 or mark it unstable and mark 1.2.8 as beeing stable and add the security fix to it (just change the source from proftpd-1.2.8.tar.bz2 to proftpd-1.2.8p.tar.bz2 should fix it properly).
*** Bug 33144 has been marked as a duplicate of this bug. ***
*** Bug 36058 has been marked as a duplicate of this bug. ***