ProFTPD ASCII file newline buffer overflow

proftpd-ascii-xfer-newline-bo (12200) The risk level is classified as HighHigh Risk

Description:

ProFTPD is an FTP (File Transfer Protocol) server for Unix platforms. A vulnerability in ProFTPD versions 1.2.7 through 1.2.9rc2 (and possibly versions prior to 1.2.7) could allow an attacker to overflow a buffer and gain access using ASCII mode file transfers.

An attacker capable of uploading files to the vulnerable system can trigger a buffer overflow and execute arbitrary code to gain complete control of the system. Attackers may use this vulnerability to destroy, steal, or manipulate data on vulnerable FTP sites. The attacker must have the ability to upload a file to the server, and then attempt to download the same file to trigger the vulnerability.

The vulnerability occurs when a file is being transferred in ASCII mode. During a transfer of this type, file data is examined in 1024 byte chunks to check for newline (\n) characters. The translation of these newline characters is not handled correctly, and a buffer overflow can manifest if ProFTPD parses a specially crafted file.

The ProFTPD daemon makes an effort to drop superuser privileges to limit the privilege level associated with any successful attack. However, X-Force has demonstrated that this security check can be bypassed, and superuser access can be gained by a remote attacker.

Platforms Affected:

  • Conectiva, Linux 9.0
  • Gentoo, Linux
  • MandrakeSoft, Mandrakelinux 9.1 PPC
  • MandrakeSoft, Mandrakelinux 9.1
  • MandrakeSoft, Mandrakelinux 9.2 AMD64
  • MandrakeSoft, Mandrakelinux 9.2
  • OpenPKG, OpenPKG 1.2
  • OpenPKG, OpenPKG 1.3
  • OpenPKG, OpenPKG CURRENT
  • ProFTPD, ProFTPD 1.2.7
  • ProFTPD, ProFTPD 1.2.7rc1
  • ProFTPD, ProFTPD 1.2.7rc2
  • ProFTPD, ProFTPD 1.2.7rc3
  • ProFTPD, ProFTPD 1.2.8
  • ProFTPD, ProFTPD 1.2.8rc1
  • ProFTPD, ProFTPD 1.2.8rc2
  • ProFTPD, ProFTPD 1.2.9rc1
  • ProFTPD, ProFTPD 1.2.9rc2
  • Slackware, Slackware Linux 8.1
  • Slackware, Slackware Linux 9.0
  • Slackware, Slackware Linux current
  • SuSE, SuSE Linux 7.2
  • SuSE, SuSE Linux 8.0
  • SuSE, SuSE Linux 8.1
  • SuSE, SuSE Linux 8.2
  • Trustix, Secure Linux 1.2
  • Trustix, Secure Linux 1.5
  • Trustix, Secure Linux 2.0
  • Turbolinux, Turbolinux 7 Server
  • Turbolinux, Turbolinux 7 Workstation
  • Turbolinux, Turbolinux 8 Server
  • Turbolinux, Turbolinux 8 Workstation
  • Turbolinux, Turbolinux Server 6.5

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
ProftpdAsciiXferNewlineBo

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
FTP_ProFTPD_Translate_Overflow

For Manual Protection:

Successful exploitation is not possible if attackers cannot upload files to a vulnerable FTP server. Where possible it is advisable to disable the ability for users to perform FTP uploads, either with file permissions or using ProFTPD configuration parameters:

>Limit WRITE<
DenyAll
>/Limit<

Risk can also be mitigated by using configuration options which cause root privileges to be dropped altogether by the ProFTPD daemon (although this feature may disable certain ProFTPD functionality):

RootRevoke on

X-Force recommends that ProFTPD users upgrade to the patched version of ProFTPD when it becomes available.

For Slackware Linux:
Upgrade to the latest proftpd package, as listed below. Refer to slackware-security Mailing List, Tue, 23 Sep 2003 23:06:38 -0700 (PDT) for more information. See References.

Slackware Linux 8.1, 9.0, -current: -1.2.8p-i386-1 or later

For Mandrake Linux:
Upgrade to the latest proftpd package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:095-1 for more information. See References.

Mandrake Linux 9.1: 1.2.8-1.2.91mdk or later
Mandrake Linux 9.2: 1.2.8-5.2.92mdk

For OpenPKG:
Upgrade to the latest proftpd package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2003.043 for more information. See References.

OpenPKG CURRENT: 1.2.9rc2-20030923 or later
OpenPKG 1.2: 1.2.7-1.2.1 or later
OpenPKG 1.3: 1.2.8-1.3.1 or later

For Trustix Secure Linux:
Upgrade to the latest version of proftpd (1.2.8-10tr or later), as listed in Trustix Security Advisory #2003-0037. See References.

For Gentoo Linux:
Upgrade to the latest version of proftpd (1.29_rc2 or later), as listed in Gentoo Linux Security Announcement 200309-16. See References.

For Conectiva Linux:
Upgrade to the latest proftpd package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2003:750 for more information. See References.

Conectiva Linux 9: 1.2.7-27285U90_2cl or later

For Turbolinux:
Upgrade to the latest proftpd package (1.2.8-3 or later), as listed in Turbolinux Security Advisory TLSA-2003-54. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

Reported:

Sep 23, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page