copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ASB-2012.0029 - ALERT [UNIX/Linux] ProFTPD (and Plesk): Root compromise - Remote/unauthenticated

Date: 24 February 2012
References: ESB-2010.0759.2  ESB-2012.0018  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0029
        ProFTPD and Plesk vulnerabilities being actively exploited
                             24 February 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              ProFTPD
                      Plesk
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Root Compromise                 -- Remote/Unauthenticated
                      Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:           Mitigation
Member content until: Sunday, March 25 2012
Reference:            ESB-2012.0018
                      ESB-2010.0759

Comment: Plesk has patched an SQL injection vulnerability.
         
         ProFTPD workarounds are available for a root compromise.
         
         BOTH of these vulnerabilities are being actively exploited.

OVERVIEW

        AusCERT has received reports of Plesk and ProFTPD exploits being used
        for SQL injection attacks and to gain root access to servers running
        this software.


IMPACT

        The main vulnerability appears to be the so called "roaring beast"
        exploit for ProFTPD. This vulnerability was first discovered in the
        FreeBSD ftpd server, and was corrected in January 2012. [1]
        
        This vulnerability is also present in the latest version (1.3.4a) of
        ProFTPD. [2,3] Currently there is no patch available for ProFTPD,
        however a number of workarounds have been provided (see below).
        
        Some of the reported exploitation is also believed to have used a
        vulnerability in Plesk for which a patch (or micro update) is
        available. [4] These are believed to be the same vulnerability that
        has recently made headlines due to its use on the Federal Trade
        Commission website. [5]
        
        While the two vulnerabilities are separate, they can appear to be linked
        because Plesk installs a copy of ProFTPD.


DETAILS

        The vulnerability in ProFTPD is actually not really a vulnerability in
        ProFTPD, but rather in the set of conditions that a typical FTP may be
        configured with, mixed with a library loading path problem similar to
        the ones in Windows. [7]
        
        The vulnerability works by creating an "etc" and "lib" directory on the
        ftp server and placing some configuration and binary files in them.
        Specifically "nsswitch.conf" in the "etc" directory and a fake
        "nss_compat.so.1" file in the "lib" directory. Following this, some
        commands ("site chmod ..." and "stat") cause a lookup of user and group
        information. This is done by looking up "/etc/nsswitch.conf" to find how
        to perform this mapping.
        
        If the ftp directory is in a chrooted environment, the "lib" and "etc"
        directories will appear as "/etc" and "/lib" thereby causing the uploaded
        files to be found instead of the real system files. To allow for low ports
        to be opened for active data transfer ProFTPD keeps root privileges. [8]
        These new files (nss_compat.so.1) are therefore able to attach to current
        root owned processes (eg: cron, syslogd, inetd, sendmail) and provide
        root access to the server.


MITIGATION

        Parallels has released a selection of Micro-Updates and fixes for all
        new versions of Plesk and most older versions. [4] These should be
        installed on all systems running Plesk.
        
        TJ Saunders, one the of the ProFTPD developers, has posted a few
        workarounds for the problem on the ProFTPD mailing list: [8,9]
        
        1) In proftpd.conf set:
        " <Global>
            RootRevoke on
          </Global>"
        This will stop active data transfers to stop working.
        
        2) Preventing the required directories from being created:
        " # For non-<Anonymous> chrooted logins, use this.
          #
          # NOTE: it ASSUMES that you are using "DefaultRoot ~" to chroot users to 
          # their respective home directories.  If you use a different chroot
          # directory, replace '~' with that chroot directory in the configs 
          # below.
          <Directory ~/etc>
            <Limit ALL>
              DenyAll
            </Limit>
          </Directory>
        
          <Directory ~/lib>
            <Limit ALL>
              DenyAll
            </Limit>
          </Directory>
        
          # And for <Anonymous> logins where uploads are allowed, use:
          <Anonymous ...>
            ...
            <Directory etc>
              <Limit ALL>
                DenyAll
              </Limit>
            </Directory>
        
            <Directory lib>
              <Limit ALL>
                DenyAll
              </Limit>
            </Directory>
          </Anonymous>"
        
        3) If you are running 1.3.4a, you can block just specific file names within
        the directories, rather than the directories themselves:
        " <Directory etc>
            <Limit WRITE>
              DenyFilter nsswitch\.conf$
            </Limit>
          </Directory>
        
          <Directory lib>
            <Limit WRITE>
              DenyFilter \.so$
            </Limit>
          </Directory>"


REFERENCES

        [1] ESB-2012.0018 - [FreeBSD] ftpd: Root compromise - Existing account
            http://auscert.org.au/15286

        [2] Re: [Proftpd-user] ProFTPD security issue on FreeBSD
            http://sourceforge.net/mailarchive/message.php?msg_id=28499036

        [3] The Roaring Beast Exploit in Action
            http://www.youtube.com/watch?v=10uedlgNEJA

        [4] [FIX] Remote vulnerability in Plesk Panel
            http://kb.parallels.com/en/113321

        [5] Plesk control panel bug left FTC sites (and thousands more) exposed
            to Anons
            http://arstechnica.com/business/news/2012/02/plesk-control-panel-bug-left-ftc-sites-and-thousands-more-exposed-to-anon.ars

        [6] Re: [Proftpd-user] ProFTPD security issue on FreeBSD
            http://sourceforge.net/mailarchive/message.php?msg_id=28504560

        [7] Microsoft Security Advisory (2269637) - Insecure Library Loading
            Could Allow Remote Code Execution
            http://technet.microsoft.com/en-us/security/advisory/2269637

        [8] Re: [Proftpd-devel] [Proftpd-user] ProFTPD security issue on
            FreeBSD
            http://marc.info/?l=proftpd-devel&m=132311236506886

        [9] Re: [Proftpd-devel] [Proftpd-user] ProFTPD security issue on
            FreeBSD
            http://marc.info/?l=proftpd-devel&m=132312790012900

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT0b5te4yVqjM2NGpAQLNNA/+IAzEwX6w7Z/CMoAj8Y+VPQ6s0KxZ3FX8
AToL7l3T+jF10Ub4EGZj1hBPM9trSeycWMh+U/2GIByBEaTbq7cHwkrG/Dsfdcz5
Zat38V8HcHgmlgGTO4Shh9ExC1KV417j/GE0lSyjF+Q2fIwMNcuYJuxkx1yv5/nE
GaL0v6qsNbA9q+fAUWYOI5G5l4vuSCFZyUb5dQRagOlUPwpnXxeW8YgzvyxHMh0t
ax7avPH106AZdTDaHPJgflG1dh34BZDhCPTbHocsmGaw9qpVhpJ0KA6ogFw/IRZn
8zdTmvLNNTjykMQrlCvB1bUHWzbjcxwADdAsqHLJCyXpxwtU/Rg3X6/g7rjl4nY+
x4rWuWHi8zOJAYfyBaPk/swJcbiAYPIq4UEZIjYXRPC9RtywemuzzYCXpFmgmw+n
jL94WfFWYrIVRaiT7MjuWj1HxYTDSvOEA0LlrZ8OvNy+y3fAEg1T2w8VfTI/1f9i
NM8puJTsCcD0TrOK6xVLKwtahqvZop0XV6DGCp6lHlAU5RHSRwXHmIMyy5NaIXmq
QAz1pK6b8Idp47bk138bqTYqj6wVqzEYH8kvPJDxhq6nOMh9mihiAEfgMlG3+aFP
JuBzfHaUGJLcCgdKz5nbpkOzCMD2K0HncW3X/qVq9T2XWk4O9/IEUjfzVqu5kvqA
wjy07PhvBAM=
=r1cz
-----END PGP SIGNATURE-----