URGENT: security fix for psa-proftpd?

[horst rupp]

hello,

is there any security fix for the proftpd bug:

http://bugs.proftpd.org/show_bug.cgi?id=3521

so far i've deactivated proftpd because the hole can be exploited even without a valid account but that's not a good solution.

-- VULNERABILITY DETAILS -----------------------------------------------

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of ProFTPD. Authentication is not required to
exploit this vulnerability.

The flaw exists within the proftpd server component which listens by
default on TCP port 21. When reading user input if a TELNET_IAC escape
sequence is encountered the process miscalculates a buffer length
counter value allowing a user controlled copy of data to a stack buffer.
A remote attacker can exploit this vulnerability to execute arbitrary
code under the context of the proftpd process.



regards
horst

 

[IgorG]

I have forwarded it to developers. Let's wait their answer. I will update thread as soon as I receive any useful information from developers.

 

[argonius]

also waiting

hi,

i am also waiting for a fix.

hope the developer going to package a newer proftpd version fast, cause this is a very high dangerous bug!

Thanks, Patrick

 

[horst rupp]

is there a place to download the source-rpm, then i could fix it myself?

 

[argonius]

maybe

there is something at atomicrocketturtle?

if you have fixed it, can you please place a link to the fixed version?

thanks,patrick

 

[GunFood]

I did on CentOS 5.5:

download tar.gz, uncompress.
./configure
make
mv /usr/sbin/proftpd /usr/sbin/proftpd.old
cp proftpd /usr/sbin/proftpd
service restart xinetd

verify the update:
ftp localhost should answer:
220 ProFTPD 1.3.3c Server

Done.

 

[KlausR2020]

I did on CentOS 5.5:

download tar.gz, uncompress.
./configure
make
mv /usr/sbin/proftpd /usr/sbin/proftpd.old
cp proftpd /usr/sbin/proftpd
service restart xinetd

verify the update:
ftp localhost should answer:
220 ProFTPD 1.3.3c Server

Done.

This does not work on SuSE 11.1 x86_64

proftpd[14052]: Fatal: unknown configuration directive 'AuthPAM' on line 70 of '/etc/proftpd.conf'

To build an own working installation requires more than just changing the binary.
If the security hole exists in the ProFTPD 1.3.2e which is shipped with plesk 9.5.2 and 9.5.3, I think it's a very dangerous situation, because thousands of installations running plesk with 1.3.2e ...

We habe shut down the ftp service for 11 domains on one of our servers for security reasons. Hmm.

Regards, Klaus

 

[atomicturtle]

The update is out for ASL users was released yesterday. The build for the Atomic repo should be available shortly

 

[atomicturtle]

Updated packages should be available for everybody in the [atomic] repo now. For the newcomers you can upgrade with:

1) add atomic
wget -q -O - http://www.atomicorp.com/installers/atomic |sh

2) Update psa-proftpd:
yum upgrade psa-proftpd

 

[KlausR2020]

This does not work on SuSE 11.1 x86_64

proftpd[14052]: Fatal: unknown configuration directive 'AuthPAM' on line 70 of '/etc/proftpd.conf'

To build an own working installation requires more than just changing the binary.
If the security hole exists in the ProFTPD 1.3.2e which is shipped with plesk 9.5.2 and 9.5.3, I think it's a very dangerous situation, because thousands of installations running plesk with 1.3.2e ...

We habe shut down the ftp service for 11 domains on one of our servers for security reasons. Hmm.

Regards, Klaus

Ok, ist works, if you install pam-devel and compile / recompile the 1.3.3c source. I've copied the proftpd binary to /usr/sbin and is works on SuSE 11.1 x86_64. But the recommended way to fix this is to wait for the oficcial hotfix.

Regards, Klaus

 

[atomicturtle]

Side note this package also adds support for:
* clamav scanning
* sftp
* RBL's

 

[argonius]

thanks

you made my day

 

[horst rupp]

hello? any official fix?

some people think it's critical:

"A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the proftpd process," the entry in the ProTFPD project's bug tracker reads.

Successful exploitation can be achieved over both FTP and FTPS (FTP over SSL/TLS) connections and doesn't require authentication.

Therefore, public FTP servers based on ProFTPD are in an immediate danger of compromise.

http://news.softpedia.com/news/Crit...n-Vulnerability-Fixed-in-ProFTPD-164329.shtml

 

[horst rupp]

ping! any news?

 

[IgorG]

Developers are working on it.
Use custom solution described here if it is really important for you.

 

[Bevan]

On my Ubuntu server I didn't want to replace only the binary and let all other files untouched. So I replaced psa-proftpd by proftpd-basic which is shipped and maintained by Debian and Ubuntu. For me this works for the moment.
I wrote down all steps that were necessary to do so on our server. Maybe it can help someone else: Klick

 

[zeroday]

I used customer solution and ... suddenly my FTP did not work anymore .

I have a clean server with 10.01
my ftp was working
updated server with yum
added atomic repository
upgraded proftpd

and I suddenly had no config files anymore ... duuhh wierd.
Fixed it with some tips found here ..

 

[Leuviah]

i too same problem with psa-proftpd of atomic on centos 5 and plesk 10.0.1, before all working, but after of update with atomic psa-proftpd the ftp no work anymore, i too fixed it with some tips found here.

regards

I used customer solution and ... suddenly my FTP did not work anymore .

I have a clean server with 10.01
my ftp was working
updated server with yum
added atomic repository
upgraded proftpd

and I suddenly had no config files anymore ... duuhh wierd.
Fixed it with some tips found here ..

 

[PSi_101]

It's very important this gets fixed quickly. My upstream provider has policy blocked port 21 because of this vulnerability.

 

[JuergenW]

Igor,

what do you think: When will the fix be available? In a few days (1-3), in a week or in several weeks?

JuergenW