News & Media
Become a member »
» ASB-2012.0029 - ALERT [UNIX/Linux] ProFTPD (and Ples...
ASB-2012.0029 - ALERT [UNIX/Linux] ProFTPD (and Plesk): Root compromise - Remote/unauthenticated
24 February 2012
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0029 ProFTPD and Plesk vulnerabilities being actively exploited 24 February 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ProFTPD Plesk Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Root Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Mitigation Member content until: Sunday, March 25 2012 Reference: ESB-2012.0018 ESB-2010.0759 Comment: Plesk has patched an SQL injection vulnerability. ProFTPD workarounds are available for a root compromise. BOTH of these vulnerabilities are being actively exploited. OVERVIEW AusCERT has received reports of Plesk and ProFTPD exploits being used for SQL injection attacks and to gain root access to servers running this software. IMPACT The main vulnerability appears to be the so called "roaring beast" exploit for ProFTPD. This vulnerability was first discovered in the FreeBSD ftpd server, and was corrected in January 2012.  This vulnerability is also present in the latest version (1.3.4a) of ProFTPD. [2,3] Currently there is no patch available for ProFTPD, however a number of workarounds have been provided (see below). Some of the reported exploitation is also believed to have used a vulnerability in Plesk for which a patch (or micro update) is available.  These are believed to be the same vulnerability that has recently made headlines due to its use on the Federal Trade Commission website.  While the two vulnerabilities are separate, they can appear to be linked because Plesk installs a copy of ProFTPD. DETAILS The vulnerability in ProFTPD is actually not really a vulnerability in ProFTPD, but rather in the set of conditions that a typical FTP may be configured with, mixed with a library loading path problem similar to the ones in Windows.  The vulnerability works by creating an "etc" and "lib" directory on the ftp server and placing some configuration and binary files in them. Specifically "nsswitch.conf" in the "etc" directory and a fake "nss_compat.so.1" file in the "lib" directory. Following this, some commands ("site chmod ..." and "stat") cause a lookup of user and group information. This is done by looking up "/etc/nsswitch.conf" to find how to perform this mapping. If the ftp directory is in a chrooted environment, the "lib" and "etc" directories will appear as "/etc" and "/lib" thereby causing the uploaded files to be found instead of the real system files. To allow for low ports to be opened for active data transfer ProFTPD keeps root privileges.  These new files (nss_compat.so.1) are therefore able to attach to current root owned processes (eg: cron, syslogd, inetd, sendmail) and provide root access to the server. MITIGATION Parallels has released a selection of Micro-Updates and fixes for all new versions of Plesk and most older versions.  These should be installed on all systems running Plesk. TJ Saunders, one the of the ProFTPD developers, has posted a few workarounds for the problem on the ProFTPD mailing list: [8,9] 1) In proftpd.conf set: "
" This will stop active data transfers to stop working. 2) Preventing the required directories from being created: " # For non-
chrooted logins, use this. # # NOTE: it ASSUMES that you are using "DefaultRoot ~" to chroot users to # their respective home directories. If you use a different chroot # directory, replace '~' with that chroot directory in the configs # below.
# And for
logins where uploads are allowed, use:
" 3) If you are running 1.3.4a, you can block just specific file names within the directories, rather than the directories themselves: "
" REFERENCES  ESB-2012.0018 - [FreeBSD] ftpd: Root compromise - Existing account http://auscert.org.au/15286  Re: [Proftpd-user] ProFTPD security issue on FreeBSD http://sourceforge.net/mailarchive/message.php?msg_id=28499036  The Roaring Beast Exploit in Action http://www.youtube.com/watch?v=10uedlgNEJA  [FIX] Remote vulnerability in Plesk Panel http://kb.parallels.com/en/113321  Plesk control panel bug left FTC sites (and thousands more) exposed to Anons http://arstechnica.com/business/news/2012/02/plesk-control-panel-bug-left-ftc-sites-and-thousands-more-exposed-to-anon.ars  Re: [Proftpd-user] ProFTPD security issue on FreeBSD http://sourceforge.net/mailarchive/message.php?msg_id=28504560  Microsoft Security Advisory (2269637) - Insecure Library Loading Could Allow Remote Code Execution http://technet.microsoft.com/en-us/security/advisory/2269637  Re: [Proftpd-devel] [Proftpd-user] ProFTPD security issue on FreeBSD http://marc.info/?l=proftpd-devel&m=132311236506886  Re: [Proftpd-devel] [Proftpd-user] ProFTPD security issue on FreeBSD http://marc.info/?l=proftpd-devel&m=132312790012900 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT0b5te4yVqjM2NGpAQLNNA/+IAzEwX6w7Z/CMoAj8Y+VPQ6s0KxZ3FX8 AToL7l3T+jF10Ub4EGZj1hBPM9trSeycWMh+U/2GIByBEaTbq7cHwkrG/Dsfdcz5 Zat38V8HcHgmlgGTO4Shh9ExC1KV417j/GE0lSyjF+Q2fIwMNcuYJuxkx1yv5/nE GaL0v6qsNbA9q+fAUWYOI5G5l4vuSCFZyUb5dQRagOlUPwpnXxeW8YgzvyxHMh0t ax7avPH106AZdTDaHPJgflG1dh34BZDhCPTbHocsmGaw9qpVhpJ0KA6ogFw/IRZn 8zdTmvLNNTjykMQrlCvB1bUHWzbjcxwADdAsqHLJCyXpxwtU/Rg3X6/g7rjl4nY+ x4rWuWHi8zOJAYfyBaPk/swJcbiAYPIq4UEZIjYXRPC9RtywemuzzYCXpFmgmw+n jL94WfFWYrIVRaiT7MjuWj1HxYTDSvOEA0LlrZ8OvNy+y3fAEg1T2w8VfTI/1f9i NM8puJTsCcD0TrOK6xVLKwtahqvZop0XV6DGCp6lHlAU5RHSRwXHmIMyy5NaIXmq QAz1pK6b8Idp47bk138bqTYqj6wVqzEYH8kvPJDxhq6nOMh9mihiAEfgMlG3+aFP JuBzfHaUGJLcCgdKz5nbpkOzCMD2K0HncW3X/qVq9T2XWk4O9/IEUjfzVqu5kvqA wjy07PhvBAM= =r1cz -----END PGP SIGNATURE-----
Comments? Click here