Advisories Internet Security Systems Security Advisory September 23, 2003 ProFTPD ASCII File Remote Compromise Vulnerability Synopsis: ISS X-Force has discovered a flaw in the ProFTPD Unix FTP server. ProFTPD is a highly configurable FTP (File Transfer Protocol) server for Unix that allows for per-directory access restrictions, easy configuration of virtual FTP servers, and support for multiple authentication mechanisms. A flaw exists in the ProFTPD component that handles incoming ASCII file transfers. Impact: An attacker capable of uploading files to the vulnerable system can trigger a buffer overflow and execute arbitrary code to gain complete control of the system. Attackers may use this vulnerability to destroy, steal, or manipulate data on vulnerable FTP sites. Affected Versions: ProFTPD 1.2.7 ProFTPD 1.2.8 ProFTPD 1.2.8rc1 ProFTPD 1.2.8rc2 ProFTPD 1.2.9rc1 ProFTPD 1.2.9rc2 Description: A vulnerability exists in the ProFTPD server that can be triggered by remote attackers when transferring files from the FTP server in ASCII mode. The attacker must have the ability to upload a file to the server, and then attempt to download the same file to trigger the vulnerability. The vulnerability occurs when a file is being transferred in ASCII mode. During a transfer of this type, file data is examined in 1024 byte chunks to check for newline (\n) characters. The translation of these newline characters is not handled correctly, and a buffer overflow can manifest if ProFTPD parses a specially crafted file. The ProFTPD daemon makes an effort to drop superuser privileges to limit the privilege level associated with any successful attack. However, X-Force has demonstrated that this security check can be bypassed, and superuser access can be gained by a remote attacker. Recommendations: For identification of potentially vulnerable systems, Internet Security Systems has provided the following assessment checks: Internet Scanner XPU 7.6/6.35 ProftpdAsciiXferNewlineBo - (http://xforce.iss.net/xforce/xfdb/12200) For Dynamic Threat Protection, Internet Security Systems recommends applying a Virtual Patch for the ProFTPD vulnerability. Employ the following protection techniques through ISS’ Dynamic Threat Protection platform. The following updates have already been made available. RealSecure Network/Proventia A Series XPU 21.1 FTP_ProFTPD_Translate_Overflow - (http://xforce.iss.net/xforce/xfdb/12200) RealSecure Server XPU 21.1 FTP_ProFTPD_Translate_Overflow - (http://xforce.iss.net/xforce/xfdb/12200) For Manual Protection, ISS has offered the following recommendations: Successful exploitation is not possible if attackers cannot upload files to a vulnerable FTP server. Where possible it is advisable to disable the ability for users to perform FTP uploads, either with file permissions or using ProFTPD configuration parameters: DenyAll Risk can also be mitigated by using configuration options which cause root privileges to be dropped altogether by the ProFTPD daemon (although this feature may disable certain ProFTPD functionality): RootRevoke on X-Force recommends that ProFTPD users upgrade to the patched version of ProFTPD when it becomes available. Additional Information: The ProFTPD Project http://www.proftpd.org Credit: This vulnerability was discovered and researched by Mark Dowd of the ISS X-Force. ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved worldwide. This document is not to be edited or altered in any way without the express written consent of Internet Security Systems, Inc. If you wish to reprint the whole or any part of this document, please email xforce@iss.net for permission. You may provide links to this document from your web site, and you may make copies of this document in accordance with the fair use doctrine of the U.S. copyright laws. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc.