Article ID: 9360, created on Nov 25, 2010, last review on Aug 12, 2014

  • Applies to:
  • Small Business Panel 10.x for Linux/Unix
  • Plesk 10.x for Linux
  • Plesk 9.x for Linux/Unix

OVERVIEW OF THE VULNERABILITY AND EXPLOIT

A flaw in the popular ProFTPD FTP server potentially allows unauthenticated attackers to compromise a server. The problem is caused by a buffer overflow in the pr_netio_telnet_gets() function for evaluating TELNET IAC sequences.

ProFTPD bug report: #3521

DETAILS ON THE VULNERABILITY AND EXPLOIT

ProFTPD is capable of processing TELNET IAC sequences on port 21; the sequences enable or disable certain options not supported by the Telnet or FTP protocol itself. The buffer overflow allows attackers to write arbitrary code to the application’s stack and launch it. Updating to version 1.3.3c of ProFTPD solves the problem. The update also fixes a directory traversal vulnerability which can only be exploited if the "mod_site_misc" module is loaded. This flaw could allow attackers with write privileges to leave their permitted path and delete directories or create symbolic links outside of the path. The module is not loaded or compiled by default.

DETAILS ON THE MICRO-UPDATE FOR ProFTPD 1.3.2 VERSION

Parallels has used its micro-update patch functionality in Plesk 9.5x, Plesk 10, and Small Business Panel 10.2 to fix this exploit. You can find instruction about micro-updates insatllation in article Using Micro-Updates in Parallels Plesk Panel 9.x, 10.x and Parallels Small Business Panel. But micro-updates do not change version of Parallels Plesk Packages packages. Therefore security scanners may arise an alert if they determine the old build of ProFTPD 1.3.2 version.

In case of arising security scanners alerts you may check that micro-update is really installed on your Parallels Plesk Panel server with using corresponding instruction - How to verify fixed proftpd was installed after installation of microupdate in Parallels Plesk Panel 9.5.2. 9.5.3 and 10.0.1

If you see that micro-update for described ProFTPD Remote Code Execution Vulnerability and Exploit has been successfully installed on your server you can consider this security scanner alert as reaction on old build of ProFTPD 1.3.2 version but not as real security problem alert.

dd0611b6086474193d9bf78e2b293040 a914db3fdc7a53ddcfd1b2db8f5a1b9c 29d1e90fd304f01e6420fbe60f66f838 6ef0db7f1685482449634a455d77d3f4 6a181d5c1f3b1bcb28db0b05464417ec 56797cefb1efc9130f7c48a7d1db0f0c

Email subscription for changes to this article
Save as PDF