One year old ProFTPD exploit now public
For over a year now, attackers could have used ProFTPD to plant and execute arbitrary code on the FTP servers that grant write privileges. The developers believe that other attack vectors are also possible and are delivering an updated version. The vulnerability was discovered by Evgeny Legerov, who has now released a public exploit module for the Metasploit framework in his commercial VulnDisco package. Legerov claims that the VulnDisco package has contained the exploit since the end of last year.
One vulnerability is related to the sreplace() function among others. Legerov claims that by concatenating the deformed length calculations, flawed verifications of negative values, and the application of these values to copy operations, attackers can execute arbitrary code with root rights. The publicly available Metasploit exploit demonstrates the security hole for ProFTPD 1.3.0 RC3, although the server's developers believe that all versions up to and including 1.3.0 are vulnerable.
The exploit, as presented, does in fact require write privileges but, in a Bugtracker entry, ProFTPD's programmers concede that there are other attack vectors that would function without that requirement. They have now released version 1.3.0a for download, with the security hole removed. All administrators using ProFTPD should migrate to the new version as soon as possible. The Bugtracker entry also provides countermeasures for users who cannot immediately update their installation.
- ProFTPD remote buffer overflow vulnerability, security advisory from Evgeny Legerov
- Bugtracker entry by ProFTPD's developers
- Download of the current version of ProFTPD