Luka w ProFTPD

ISS X-Force odkryli poważną lukę w serwerze FTP – ProFTPD. Atakujący może spowodować przepełnienie bufora (buffer overflow) i wykonać arbitralny kod z prawami administratora. Bląd występuje od wersji 1.2.7 do 1.2.9rc2. Starsze wersje również mogą być podatne na atak. Pełne advisory można poczytać poniżej:

Internet Security Systems Security Advisory
September 23, 2003

ProFTPD ASCII File Remote Compromise Vulnerability

Synopsis:

ISS X-Force has discovered a flaw in the ProFTPD Unix FTP server. ProFTPD
is a highly configurable FTP (File Transfer Protocol) server for Unix
that allows for per-directory access restrictions, easy configuration of
virtual FTP servers, and support for multiple authentication mechanisms.
A flaw exists in the ProFTPD component that handles incoming ASCII file
transfers.

Impact:

An attacker capable of uploading files to the vulnerable system can
trigger a buffer overflow and execute arbitrary code to gain complete
control of the system. Attackers may use this vulnerability to destroy,
steal, or manipulate data on vulnerable FTP sites.

Affected Versions:

ProFTPD 1.2.7
ProFTPD 1.2.8
ProFTPD 1.2.8rc1
ProFTPD 1.2.8rc2
ProFTPD 1.2.9rc1
ProFTPD 1.2.9rc2

Description:

A vulnerability exists in the ProFTPD server that can be triggered by
remote attackers when transferring files from the FTP server in ASCII
mode. The attacker must have the ability to upload a file to the server,
and then attempt to download the same file to trigger the vulnerability.

The vulnerability occurs when a file is being transferred in ASCII mode.
During a transfer of this type, file data is examined in 1024 byte chunks
to check for newline (\n) characters. The translation of these newline
characters is not handled correctly, and a buffer overflow can manifest if
ProFTPD parses a specially crafted file.

The ProFTPD daemon makes an effort to drop superuser privileges to limit
the privilege level associated with any successful attack. However,
X-Force has demonstrated that this security check can be bypassed, and
superuser access can be gained by a remote attacker.

Recommendations:

For identification of potentially vulnerable systems, Internet Security
Systems has provided the following assessment checks:

Internet Scanner XPU 7.6/6.35 ProftpdAsciiXferNewlineBo –
(http://xforce.iss.net/xforce/xfdb/12200)

For Dynamic Threat Protection, Internet Security Systems recommends
applying a Virtual Patch for the ProFTPD vulnerability. Employ the
following protection techniques through ISS’ Dynamic Threat Protection
platform. The following updates have already been made available.

RealSecure Network/Proventia A Series XPU 21.1
FTP_ProFTPD_Translate_Overflow –
(http://xforce.iss.net/xforce/xfdb/12200)

RealSecure Server XPU 21.1 FTP_ProFTPD_Translate_Overflow –
(http://xforce.iss.net/xforce/xfdb/12200)

For Manual Protection, ISS has offered the following recommendations:

Successful exploitation is not possible if attackers cannot upload files
to a vulnerable FTP server. Where possible it is advisable to disable the
ability for users to perform FTP uploads, either with file permissions or
using ProFTPD configuration parameters:

<Limit WRITE>
DenyAll
</Limit>

Risk can also be mitigated by using configuration options which cause root
privileges to be dropped altogether by the ProFTPD daemon (although this
feature may disable certain ProFTPD functionality):

RootRevoke on

X-Force recommends that ProFTPD users upgrade to the patched version of
ProFTPD when it becomes available.

Additional Information:

The ProFTPD Project
http://www.proftpd.org

Credit:

This vulnerability was discovered and researched by Mark Dowd of the ISS
X-Force.

______

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved
worldwide.

This document is not to be edited or altered in any way without the
express written consent of Internet Security Systems, Inc. If you wish
to reprint the whole or any part of this document, please email

xforce@iss.net for permission. You may provide links to this document
from your web site, and you may make copies of this document in
accordance with the fair use doctrine of the U.S. copyright laws.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user’s risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT’s PGP key server and PGP.com’s key
server, as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force

xforce@iss.net of Internet Security Systems, Inc.