Australia's Leading Computer Emergency Response Team

ASB-2012.0029 - ALERT [UNIX/Linux] ProFTPD (and Plesk): Root compromise - Remote/unauthenticated
Date: 24 February 2012
Original URL:
References: ESB-2010.0759.2  ESB-2012.0018  

Click here for PGP verifiable version
Hash: SHA1

                         AUSCERT Security Bulletin

        ProFTPD and Plesk vulnerabilities being actively exploited
                             24 February 2012


        AusCERT Security Bulletin Summary

Product:              ProFTPD
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Root Compromise                 -- Remote/Unauthenticated
                      Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:           Mitigation
Member content until: Sunday, March 25 2012
Reference:            ESB-2012.0018

Comment: Plesk has patched an SQL injection vulnerability.
         ProFTPD workarounds are available for a root compromise.
         BOTH of these vulnerabilities are being actively exploited.


        AusCERT has received reports of Plesk and ProFTPD exploits being used
        for SQL injection attacks and to gain root access to servers running
        this software.


        The main vulnerability appears to be the so called "roaring beast"
        exploit for ProFTPD. This vulnerability was first discovered in the
        FreeBSD ftpd server, and was corrected in January 2012. [1]
        This vulnerability is also present in the latest version (1.3.4a) of
        ProFTPD. [2,3] Currently there is no patch available for ProFTPD,
        however a number of workarounds have been provided (see below).
        Some of the reported exploitation is also believed to have used a
        vulnerability in Plesk for which a patch (or micro update) is
        available. [4] These are believed to be the same vulnerability that
        has recently made headlines due to its use on the Federal Trade
        Commission website. [5]
        While the two vulnerabilities are separate, they can appear to be linked
        because Plesk installs a copy of ProFTPD.


        The vulnerability in ProFTPD is actually not really a vulnerability in
        ProFTPD, but rather in the set of conditions that a typical FTP may be
        configured with, mixed with a library loading path problem similar to
        the ones in Windows. [7]
        The vulnerability works by creating an "etc" and "lib" directory on the
        ftp server and placing some configuration and binary files in them.
        Specifically "nsswitch.conf" in the "etc" directory and a fake
        "" file in the "lib" directory. Following this, some
        commands ("site chmod ..." and "stat") cause a lookup of user and group
        information. This is done by looking up "/etc/nsswitch.conf" to find how
        to perform this mapping.
        If the ftp directory is in a chrooted environment, the "lib" and "etc"
        directories will appear as "/etc" and "/lib" thereby causing the uploaded
        files to be found instead of the real system files. To allow for low ports
        to be opened for active data transfer ProFTPD keeps root privileges. [8]
        These new files ( are therefore able to attach to current
        root owned processes (eg: cron, syslogd, inetd, sendmail) and provide
        root access to the server.


        Parallels has released a selection of Micro-Updates and fixes for all
        new versions of Plesk and most older versions. [4] These should be
        installed on all systems running Plesk.
        TJ Saunders, one the of the ProFTPD developers, has posted a few
        workarounds for the problem on the ProFTPD mailing list: [8,9]
        1) In proftpd.conf set:
        " <Global>
            RootRevoke on
        This will stop active data transfers to stop working.
        2) Preventing the required directories from being created:
        " # For non-<Anonymous> chrooted logins, use this.
          # NOTE: it ASSUMES that you are using "DefaultRoot ~" to chroot users to 
          # their respective home directories.  If you use a different chroot
          # directory, replace '~' with that chroot directory in the configs 
          # below.
          <Directory ~/etc>
            <Limit ALL>
          <Directory ~/lib>
            <Limit ALL>
          # And for <Anonymous> logins where uploads are allowed, use:
          <Anonymous ...>
            <Directory etc>
              <Limit ALL>
            <Directory lib>
              <Limit ALL>
        3) If you are running 1.3.4a, you can block just specific file names within
        the directories, rather than the directories themselves:
        " <Directory etc>
            <Limit WRITE>
              DenyFilter nsswitch\.conf$
          <Directory lib>
            <Limit WRITE>
              DenyFilter \.so$


        [1] ESB-2012.0018 - [FreeBSD] ftpd: Root compromise - Existing account

        [2] Re: [Proftpd-user] ProFTPD security issue on FreeBSD

        [3] The Roaring Beast Exploit in Action

        [4] [FIX] Remote vulnerability in Plesk Panel

        [5] Plesk control panel bug left FTC sites (and thousands more) exposed
            to Anons

        [6] Re: [Proftpd-user] ProFTPD security issue on FreeBSD

        [7] Microsoft Security Advisory (2269637) - Insecure Library Loading
            Could Allow Remote Code Execution

        [8] Re: [Proftpd-devel] [Proftpd-user] ProFTPD security issue on

        [9] Re: [Proftpd-devel] [Proftpd-user] ProFTPD security issue on

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.