1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

URGENT: security fix for psa-proftpd?

Discussion in 'Plesk 9.x for Linux Issues, Fixes, How-To' started by horst rupp, Nov 1, 2010.

  1. horst rupp

    horst rupp Basic Pleskian

    23
    23%
    Joined:
    Feb 28, 2009
    Messages:
    30
    Likes Received:
    0
    hello,

    is there any security fix for the proftpd bug:

    http://bugs.proftpd.org/show_bug.cgi?id=3521

    so far i've deactivated proftpd because the hole can be exploited even without a valid account but that's not a good solution.

    -- VULNERABILITY DETAILS -----------------------------------------------

    This vulnerability allows remote attackers to execute arbitrary code on
    vulnerable installations of ProFTPD. Authentication is not required to
    exploit this vulnerability.

    The flaw exists within the proftpd server component which listens by
    default on TCP port 21. When reading user input if a TELNET_IAC escape
    sequence is encountered the process miscalculates a buffer length
    counter value allowing a user controlled copy of data to a stack buffer.
    A remote attacker can exploit this vulnerability to execute arbitrary
    code under the context of the proftpd process.



    regards
    horst
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,564
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    I have forwarded it to developers. Let's wait their answer. I will update thread as soon as I receive any useful information from developers.
     
  3. argonius

    argonius Basic Pleskian

    18
    85%
    Joined:
    Apr 28, 2010
    Messages:
    57
    Likes Received:
    0
    also waiting

    hi,

    i am also waiting for a fix.

    hope the developer going to package a newer proftpd version fast, cause this is a very high dangerous bug!

    Thanks, Patrick
     
  4. horst rupp

    horst rupp Basic Pleskian

    23
    23%
    Joined:
    Feb 28, 2009
    Messages:
    30
    Likes Received:
    0
    is there a place to download the source-rpm, then i could fix it myself?
     
  5. argonius

    argonius Basic Pleskian

    18
    85%
    Joined:
    Apr 28, 2010
    Messages:
    57
    Likes Received:
    0
    maybe

    there is something at atomicrocketturtle?

    if you have fixed it, can you please place a link to the fixed version?

    thanks,patrick
     
  6. GunFood

    GunFood Basic Pleskian

    21
    73%
    Joined:
    Aug 28, 2009
    Messages:
    49
    Likes Received:
    0
    Location:
    Berlin
    I did on CentOS 5.5:

    download tar.gz, uncompress.
    ./configure
    make
    mv /usr/sbin/proftpd /usr/sbin/proftpd.old
    cp proftpd /usr/sbin/proftpd
    service restart xinetd

    verify the update:
    ftp localhost should answer:
    220 ProFTPD 1.3.3c Server

    Done.
     
  7. KlausR2020

    KlausR2020 Guest

    0
     
    This does not work on SuSE 11.1 x86_64

    proftpd[14052]: Fatal: unknown configuration directive 'AuthPAM' on line 70 of '/etc/proftpd.conf'

    To build an own working installation requires more than just changing the binary.
    If the security hole exists in the ProFTPD 1.3.2e which is shipped with plesk 9.5.2 and 9.5.3, I think it's a very dangerous situation, because thousands of installations running plesk with 1.3.2e ...

    We habe shut down the ftp service for 11 domains on one of our servers for security reasons. Hmm.

    Regards, Klaus
     
  8. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    The update is out for ASL users was released yesterday. The build for the Atomic repo should be available shortly
     
  9. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Updated packages should be available for everybody in the [atomic] repo now. For the newcomers you can upgrade with:

    1) add atomic
    wget -q -O - http://www.atomicorp.com/installers/atomic |sh

    2) Update psa-proftpd:
    yum upgrade psa-proftpd
     
  10. KlausR2020

    KlausR2020 Guest

    0
     
    Ok, ist works, if you install pam-devel and compile / recompile the 1.3.3c source. I've copied the proftpd binary to /usr/sbin and is works on SuSE 11.1 x86_64. But the recommended way to fix this is to wait for the oficcial hotfix.

    Regards, Klaus
     
  11. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Side note this package also adds support for:
    * clamav scanning
    * sftp
    * RBL's
     
  12. argonius

    argonius Basic Pleskian

    18
    85%
    Joined:
    Apr 28, 2010
    Messages:
    57
    Likes Received:
    0
    thanks

    you made my day :)
     
  13. horst rupp

    horst rupp Basic Pleskian

    23
    23%
    Joined:
    Feb 28, 2009
    Messages:
    30
    Likes Received:
    0
    hello? any official fix?

    some people think it's critical:

    "A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the proftpd process," the entry in the ProTFPD project's bug tracker reads.

    Successful exploitation can be achieved over both FTP and FTPS (FTP over SSL/TLS) connections and doesn't require authentication.

    Therefore, public FTP servers based on ProFTPD are in an immediate danger of compromise.

    http://news.softpedia.com/news/Crit...n-Vulnerability-Fixed-in-ProFTPD-164329.shtml
     
  14. horst rupp

    horst rupp Basic Pleskian

    23
    23%
    Joined:
    Feb 28, 2009
    Messages:
    30
    Likes Received:
    0
    ping! any news?
     
  15. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,564
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    Developers are working on it.
    Use custom solution described here if it is really important for you.
     
  16. Bevan

    Bevan Basic Pleskian

    23
    23%
    Joined:
    Aug 12, 2007
    Messages:
    25
    Likes Received:
    0
    On my Ubuntu server I didn't want to replace only the binary and let all other files untouched. So I replaced psa-proftpd by proftpd-basic which is shipped and maintained by Debian and Ubuntu. For me this works for the moment.
    I wrote down all steps that were necessary to do so on our server. Maybe it can help someone else: Klick
     
  17. zeroday

    zeroday Basic Pleskian

    23
    57%
    Joined:
    Jan 20, 2009
    Messages:
    34
    Likes Received:
    0
    I used customer solution and ... suddenly my FTP did not work anymore .

    I have a clean server with 10.01
    my ftp was working
    updated server with yum
    added atomic repository
    upgraded proftpd

    and I suddenly had no config files anymore ... duuhh wierd.
    Fixed it with some tips found here ..
     
  18. Leuviah

    Leuviah Guest

    0
     
    i too same problem with psa-proftpd of atomic on centos 5 and plesk 10.0.1, before all working, but after of update with atomic psa-proftpd the ftp no work anymore, i too fixed it with some tips found here.

    regards

     
  19. PSi_101

    PSi_101 Regular Pleskian

    27
    57%
    Joined:
    Oct 5, 2004
    Messages:
    166
    Likes Received:
    1
    It's very important this gets fixed quickly. My upstream provider has policy blocked port 21 because of this vulnerability.
     
  20. JuergenW

    JuergenW New Pleskian

    15
    85%
    Joined:
    Jun 30, 2010
    Messages:
    6
    Likes Received:
    0
    Igor,

    what do you think: When will the fix be available? In a few days (1-3), in a week or in several weeks?

    JuergenW
     
Loading...