Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0029
ProFTPD and Plesk vulnerabilities being actively exploited
24 February 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ProFTPD
Plesk
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Root Compromise -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Mitigation
Member content until: Sunday, March 25 2012
Reference: ESB-2012.0018
ESB-2010.0759
Comment: Plesk has patched an SQL injection vulnerability.
ProFTPD workarounds are available for a root compromise.
BOTH of these vulnerabilities are being actively exploited.
OVERVIEW
AusCERT has received reports of Plesk and ProFTPD exploits being used
for SQL injection attacks and to gain root access to servers running
this software.
IMPACT
The main vulnerability appears to be the so called "roaring beast"
exploit for ProFTPD. This vulnerability was first discovered in the
FreeBSD ftpd server, and was corrected in January 2012. [1]
This vulnerability is also present in the latest version (1.3.4a) of
ProFTPD. [2,3] Currently there is no patch available for ProFTPD,
however a number of workarounds have been provided (see below).
Some of the reported exploitation is also believed to have used a
vulnerability in Plesk for which a patch (or micro update) is
available. [4] These are believed to be the same vulnerability that
has recently made headlines due to its use on the Federal Trade
Commission website. [5]
While the two vulnerabilities are separate, they can appear to be linked
because Plesk installs a copy of ProFTPD.
DETAILS
The vulnerability in ProFTPD is actually not really a vulnerability in
ProFTPD, but rather in the set of conditions that a typical FTP may be
configured with, mixed with a library loading path problem similar to
the ones in Windows. [7]
The vulnerability works by creating an "etc" and "lib" directory on the
ftp server and placing some configuration and binary files in them.
Specifically "nsswitch.conf" in the "etc" directory and a fake
"nss_compat.so.1" file in the "lib" directory. Following this, some
commands ("site chmod ..." and "stat") cause a lookup of user and group
information. This is done by looking up "/etc/nsswitch.conf" to find how
to perform this mapping.
If the ftp directory is in a chrooted environment, the "lib" and "etc"
directories will appear as "/etc" and "/lib" thereby causing the uploaded
files to be found instead of the real system files. To allow for low ports
to be opened for active data transfer ProFTPD keeps root privileges. [8]
These new files (nss_compat.so.1) are therefore able to attach to current
root owned processes (eg: cron, syslogd, inetd, sendmail) and provide
root access to the server.
MITIGATION
Parallels has released a selection of Micro-Updates and fixes for all
new versions of Plesk and most older versions. [4] These should be
installed on all systems running Plesk.
TJ Saunders, one the of the ProFTPD developers, has posted a few
workarounds for the problem on the ProFTPD mailing list: [8,9]
1) In proftpd.conf set:
" <Global>
RootRevoke on
</Global>"
This will stop active data transfers to stop working.
2) Preventing the required directories from being created:
" # For non-<Anonymous> chrooted logins, use this.
#
# NOTE: it ASSUMES that you are using "DefaultRoot ~" to chroot users to
# their respective home directories. If you use a different chroot
# directory, replace '~' with that chroot directory in the configs
# below.
<Directory ~/etc>
<Limit ALL>
DenyAll
</Limit>
</Directory>
<Directory ~/lib>
<Limit ALL>
DenyAll
</Limit>
</Directory>
# And for <Anonymous> logins where uploads are allowed, use:
<Anonymous ...>
...
<Directory etc>
<Limit ALL>
DenyAll
</Limit>
</Directory>
<Directory lib>
<Limit ALL>
DenyAll
</Limit>
</Directory>
</Anonymous>"
3) If you are running 1.3.4a, you can block just specific file names within
the directories, rather than the directories themselves:
" <Directory etc>
<Limit WRITE>
DenyFilter nsswitch\.conf$
</Limit>
</Directory>
<Directory lib>
<Limit WRITE>
DenyFilter \.so$
</Limit>
</Directory>"
REFERENCES
[1] ESB-2012.0018 - [FreeBSD] ftpd: Root compromise - Existing account
http://auscert.org.au/15286
[2] Re: [Proftpd-user] ProFTPD security issue on FreeBSD
http://sourceforge.net/mailarchive/message.php?msg_id=28499036
[3] The Roaring Beast Exploit in Action
http://www.youtube.com/watch?v=10uedlgNEJA
[4] [FIX] Remote vulnerability in Plesk Panel
http://kb.parallels.com/en/113321
[5] Plesk control panel bug left FTC sites (and thousands more) exposed
to Anons
http://arstechnica.com/business/news/2012/02/plesk-control-panel-bug-left-ftc-sites-and-thousands-more-exposed-to-anon.ars
[6] Re: [Proftpd-user] ProFTPD security issue on FreeBSD
http://sourceforge.net/mailarchive/message.php?msg_id=28504560
[7] Microsoft Security Advisory (2269637) - Insecure Library Loading
Could Allow Remote Code Execution
http://technet.microsoft.com/en-us/security/advisory/2269637
[8] Re: [Proftpd-devel] [Proftpd-user] ProFTPD security issue on
FreeBSD
http://marc.info/?l=proftpd-devel&m=132311236506886
[9] Re: [Proftpd-devel] [Proftpd-user] ProFTPD security issue on
FreeBSD
http://marc.info/?l=proftpd-devel&m=132312790012900
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT0b5te4yVqjM2NGpAQLNNA/+IAzEwX6w7Z/CMoAj8Y+VPQ6s0KxZ3FX8
AToL7l3T+jF10Ub4EGZj1hBPM9trSeycWMh+U/2GIByBEaTbq7cHwkrG/Dsfdcz5
Zat38V8HcHgmlgGTO4Shh9ExC1KV417j/GE0lSyjF+Q2fIwMNcuYJuxkx1yv5/nE
GaL0v6qsNbA9q+fAUWYOI5G5l4vuSCFZyUb5dQRagOlUPwpnXxeW8YgzvyxHMh0t
ax7avPH106AZdTDaHPJgflG1dh34BZDhCPTbHocsmGaw9qpVhpJ0KA6ogFw/IRZn
8zdTmvLNNTjykMQrlCvB1bUHWzbjcxwADdAsqHLJCyXpxwtU/Rg3X6/g7rjl4nY+
x4rWuWHi8zOJAYfyBaPk/swJcbiAYPIq4UEZIjYXRPC9RtywemuzzYCXpFmgmw+n
jL94WfFWYrIVRaiT7MjuWj1HxYTDSvOEA0LlrZ8OvNy+y3fAEg1T2w8VfTI/1f9i
NM8puJTsCcD0TrOK6xVLKwtahqvZop0XV6DGCp6lHlAU5RHSRwXHmIMyy5NaIXmq
QAz1pK6b8Idp47bk138bqTYqj6wVqzEYH8kvPJDxhq6nOMh9mihiAEfgMlG3+aFP
JuBzfHaUGJLcCgdKz5nbpkOzCMD2K0HncW3X/qVq9T2XWk4O9/IEUjfzVqu5kvqA
wjy07PhvBAM=
=r1cz
-----END PGP SIGNATURE-----