proftpd security vulerability??? Where can I find more info?

[BianchiDude]

proftpd security vulerability??? Where can I find more info?

was this on Bug Traq, I dont remember seeing anything on it.

Security At this time, it is recommended that all customers using proftpd Switch to pure-ftpd as soon as possible to eliminate a potential security hole. Please note that all released versions of proftpd are belived to be affected and the exact problem is not yet known. Customers who experience the problems switching are welcomed to bypass the normal support procedure and submit a ticket directly at http://support.cpanel.net

 

[aaronray]

I also can't find anything on this other than at cPanel. We have this on some of our other non cPanel machines and it's working OK, and I really don't want to switch to Pure due to its poor scalability. Can we get input from someone at cPanel as to a specific Secunia advisory or a specific bug that's reported in Bugzilla?

 

[dbarclay]

switch to pureFtp - FAILED

I have attempted to switch from proFtp to pureFtp but it fails.

WHM 9.9.9 cPanel 9.9.9-R14
SuSE 8.2 i686 - WHM X v3.1.0

thoughts?

 

[cPanelNick]

proftpd security vulerability??? Where can I find more info?

was this on Bug Traq, I dont remember seeing anything on it.

Security At this time, it is recommended that all customers using proftpd Switch to pure-ftpd as soon as possible to eliminate a potential security hole. Please note that all released versions of proftpd are belived to be affected and the exact problem is not yet known. Customers who experience the problems switching are welcomed to bypass the normal support procedure and submit a ticket directly at http://support.cpanel.net

This has yet to be offically confirmed. However I was personally able to get root with proftpd 1.3.0rc1, and I've been told others have had success doing so with 1.2.0.

 

[manokiss]

ok, but what about all the bugs pure-ftpd have? like the quota setup and those things? there will be any fix today?

 

[cPanelNick]

ok, but what about all the bugs pure-ftpd have? like the quota setup and those things? there will be any fix today?

The only known problem with pure-ftpd is editting the quota..which may already be fixed in edge (waiting for qa verification)

 

[fubfub]

Just out of curiousity: Is this also an issue with a grsec patched kernel?

 

[manokiss]

that will be great Nick, thank you!

 

[BianchiDude]

This has yet to be offically confirmed. However I was personally able to get root with proftpd 1.3.0rc1, and I've been told others have had success doing so with 1.2.0.

How did you get root?

 

[cPanelBilly]

How did you get root?

That will not be released publicly

 

[BianchiDude]

That will not be released publicly

Kindly tell me in a Private Message.

 

[cPanelBilly]

Kindly tell me in a Private Message.

This also will not be done.

 

[fubfub]

Well, anything that is hindering you from "releasing publicly" if this is also an issue with grsec?

 

[fubfub]

Well, apparently there is. Too bad :-(.

 

[cPanelNick]

Well, anything that is hindering you from "releasing publicly" if this is also an issue with grsec?

We were not able to confirm it on more then one machine so far. At this point, its just an advisory. We feel its better to be proactive instead of reactive in the event it does turn out to be a major problem. Given that pure-ftpd has a better security history then proftpd, we feel this is the wisest course at this time.

 

[cPanelNick]

This also will not be done.

Should we come up with a working proof of concept, it will be given to the proftpd developers so they can resolve the problem, it one does exist. Releasing it publicly at this point would be unprofessional it is still as of yet unconfirmed and would not allow people to patch affected systems before black hats got ahold of it.

 

[rwoliver2]

Are you referring to this?

http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02

This is more of a timing issue with authentication, not really a root exploit. It would only help a hacker actually discover what usernames were valid or not, which they could do on Cpanel servers easily by using the ~username trick on the host's main IP.

Unless there's a way to get a root login or shell with ProFTPD, i'd say its reasonably safe to use, even with this security advisory.

Just my 0.02

 

[manokiss]

Nick,

just tested the last edge with pure-ftpd, looks like you fixed the quota problem but it continue creating the ftp username into the /etc/proftpd/accountname directory, the account work but wondering why it creating the username in the proftpd if i switched to pure.

ty!

 

[gpan]

That's not what they are referring to - I believe its a new exploit they think is at play.

 

[cPanelNick]

Nick,

just tested the last edge with pure-ftpd, looks like you fixed the quota problem but it continue creating the ftp username into the /etc/proftpd/accountname directory, the account work but wondering why it creating the username in the proftpd if i switched to pure.

ty!

/etc/proftpd is used for backwards compat. It will probably get moved to /etc/vftp eventually, but since so many things rely on it being there it won't be too soon.