Using ProFTPd for Core Processing Anywhere?

Thursday, November 11, 2010

Brent Huston

E313765e3bec84b2852c1c758f7244b6

If so, you might want to pay attention to this announcement of a critical remote vulnerability in the daemon.

A patch is now available and should be applied quickly if you have core processes using this application.

You can read the entire alert here:

VULNERABILITY DETAILS: This vulnerability allows remote attackers to execute arbitrary code on ulnerable installations of ProFTPD. Authentication is not required to xploit this vulnerability.

The flaw exists within the proftpd server component which listens by default on TCP port 21.  

When reading user input if a TELNET_IAC escape sequence is encountered the process miscalculates a buffer length
counter value allowing a user controlled copy of data to a stack buffer.

A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the proftpd process.

A patch is now available and should be applied quickly if you have core processes using this application.

No authentication is required and it is a pretty straight forward buffer overflow, so exploit code should be easy to design and use. Common framework exploits are expected shortly.

Usually ProFTPd is used as a part of core processing, data warehousing and other heavy data processing solutions across a variety of platforms and industries.

You can find installations remotely using nmap -sV scans on your network. Nmap is pretty good at identifying ProFTPd installs.

HoneyPoint users might want to consider deploying port 21/tcp (ftp) listeners to watch for scans for vulnerable servers by attackers.

Detected scanning IPs should be investigated on internal networks and black holed on Internet facing segments.

Cross-posted from State of Security

Possibly Related Articles:
7928
Vulnerabilities
Hardware
Patching Vulnerabilities IPS Nmap
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.