Jak donosi wiadomość na stronie ProFTPD, odkryto poważny błąd pozwalający na zdalne przejęcie praw administratora systemu z zainstalowanym tym właśnie serwerem ftp. Błąd dotyczy wersji od 1.2.7 do 1.2.9rc2 włącznie. Stare wersje zostały zastąpione poprawionymi bez zmian numeracji i znajdują się pod adrsem ftp://ftp.proftpd.org/distrib/source/. Pełne advisory poniżej.

  Internet Security Systems Security Advisory  September 23, 2003    ProFTPD ASCII File Remote Compromise Vulnerability     Synopsis:    ISS X-Force has discovered a flaw in the ProFTPD Unix FTP server. ProFTPD  is a highly configurable FTP (File Transfer Protocol) server for Unix  that allows for per-directory access restrictions, easy configuration of   virtual FTP servers, and support for multiple authentication mechanisms.  A flaw exists in the ProFTPD component that handles incoming ASCII file  transfers.    Impact:    An attacker capable of uploading files to the vulnerable system can  trigger a buffer overflow and execute arbitrary code to gain complete  control of the system. Attackers may use this vulnerability to destroy,  steal, or manipulate data on vulnerable FTP sites.    Affected Versions:    ProFTPD 1.2.7  ProFTPD 1.2.8  ProFTPD 1.2.8rc1  ProFTPD 1.2.8rc2  ProFTPD 1.2.9rc1  ProFTPD 1.2.9rc2    Note: Versions previous to version 1.2.7 may also be vulnerable.    Description:    A vulnerability exists in the ProFTPD server that can be triggered by  remote attackers when transferring files from the FTP server in ASCII  mode. The attacker must have the ability to upload a file to the server,  and then attempt to download the same file to trigger the vulnerability.     The vulnerability occurs when a file is being transferred in ASCII mode.  During a transfer of this type, file data is examined in 1024 byte chunks  to check for newline (n) characters. The translation of these newline  characters is not handled correctly, and a buffer overflow can manifest if  ProFTPD parses a specially crafted file.    The ProFTPD daemon makes an effort to drop superuser privileges to limit  the privilege level associated with any successful attack. However,  X-Force has demonstrated that this security check can be bypassed, and  superuser access can be gained by a remote attacker.    Recommendations:    For identification of potentially vulnerable systems, Internet Security  Systems has provided the following assessment checks:     Internet Scanner XPU 7.6/6.35 ProftpdAsciiXferNewlineBo -   (http://xforce.iss.net/xforce/xfdb/12200)     For Dynamic Threat Protection, Internet Security Systems recommends  applying a Virtual Patch for the ProFTPD vulnerability. Employ the  following protection techniques through ISS’ Dynamic Threat Protection  platform. The following updates have already been made available.     RealSecure Network/Proventia A Series XPU 21.1  FTP_ProFTPD_Translate_Overflow -   (http://xforce.iss.net/xforce/xfdb/12200)     RealSecure Server XPU 21.1 FTP_ProFTPD_Translate_Overflow -   (http://xforce.iss.net/xforce/xfdb/12200)     For Manual Protection, ISS has offered the following recommendations:    Successful exploitation is not possible if attackers cannot upload files  to a vulnerable FTP server. Where possible it is advisable to disable the  ability for users to perform FTP uploads, either with file permissions or  using ProFTPD configuration parameters:    <Limit WRITE>       DenyAll  </Limit>    Risk can also be mitigated by using configuration options which cause root  privileges to be dropped altogether by the ProFTPD daemon (although this  feature may disable certain ProFTPD functionality):    RootRevoke on    X-Force recommends that ProFTPD users upgrade to the patched version of  ProFTPD when it becomes available.    Additional Information:    The ProFTPD Project  http://www.proftpd.org    Credit:    This vulnerability was discovered and researched by Mark Dowd of the ISS  X-Force.    ______    About Internet Security Systems (ISS)  Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a  pioneer and world leader in software and services that protect critical  online resources from an ever-changing spectrum of threats and misuse.  Internet Security Systems is headquartered in Atlanta, GA, with  additional operations throughout the Americas, Asia, Australia, Europe  and the Middle East.    Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved  worldwide.    This document is not to be edited or altered in any way without the  express written consent of Internet Security Systems, Inc. If you wish  to reprint the whole or any part of this document, please email    xforce@iss.net for permission. You may provide links to this document  from your web site, and you may make copies of this document in  accordance with the fair use doctrine of the U.S. copyright laws.     Disclaimer: The information within this paper may change without notice.  Use of this information constitutes acceptance for use in an AS IS  condition. There are NO warranties, implied or otherwise, with regard to  this information or its use. Any use of this information is at the  user's risk. In no event shall the author/distributor (Internet Security  Systems X-Force) be held liable for any damages whatsoever arising out  of or in connection with the use or spread of this information.    X-Force PGP Key available on MIT's PGP key server and PGP.com's key  server, as well as at http://www.iss.net/security_center/sensitive.php  Please send suggestions, updates, and comments to: X-Force    xforce@iss.net of Internet Security Systems, Inc.   

Archiwalny news dodany przez użytkownika: cborys.
Kliknij tutaj by zobaczyć archiwalne komentarze.

Oznaczone jako → 
Share →