07 Nov 2010

ProFTPD Remote Code Execution Vulnerability and exploit 

By - Linux, Plesk, Security 3 Comments

A flaw in the popular ProFTPD FTP server potentially allows unauthenticated attackers to compromise a server. The problem is caused by a buffer overflow in the pr_netio_telnet_gets() function for evaluating TELNET IAC sequences.

ProFTPD bug report: http://bugs.proftpd.org/show_bug.cgi?id=3521

All MNX Solutions Linux Server Management customers have been patched.

Plesk 9.5 and 10 include this vulnerability. ALL CURRENT PLESK VERSIONS ARE VULNERABLE.

Updating to ProFTPD version 1.3.3c or disabling FTP services is the only solution to this vulnerability.

ProFTPD is capable of processing TELNET IAC sequences on port 21; the sequences enable or disable certain options not supported by the Telnet or FTP protocol itself. The buffer overflow allows attackers to write arbitrary code to the application’s stack and launch it. Updating to version 1.3.3c of ProFTPD solves the problem.

The update also fixes a directory traversal vulnerability which can only be exploited if the “mod_site_misc” module is loaded. This flaw could allow attackers with write privileges to leave their permitted path and delete directories or create symbolic links outside of the path. The module is not loaded or compiled by default.

A remote root exploit is available: [Full-disclosure] ProFTPD IAC Remote Root Exploit.

A Proftpd update for Plesk has been provided by Atomic Rocket Turtle. To apply the update, execute the commands below (or give us a call we would be happy to walk you through it).


# wget -O - http://www.atomicorp.com/installers/atomic |sh
# yum upgrade psa-proftpd

Request Additional Information

Give us a call at 888-877-7118 or click here to request a proposal, and rest easy while we proactively manage your server environment.

3 Responses to “ProFTPD Remote Code Execution Vulnerability and exploit”

  1. cd says:

    I applied the update and now no user has the ability to connect via ftp. The ftp server answers, but I continually receive ‘530 Login incorrect.’ after supplying the password. Does this update change group permissions that deal with ftp?

  2. nwilkens says:

    We have not experienced this issue after applying the ART Proftp 1.3.3c update. I am assuming you are using Plesk, if so the following article may provide some additional assistance: http://kb.parallels.com/4647

  3. cd says:

    The update was applied to a server running Plesk 9.5 fc8. The solution was to comment out the directives at the top of /etc/pam.d/proftpd. There was a deprecated pam_stack.so that was being used but since the Fedora version is a bit older, the upgrades no longer take those older versions of the OS into account.

Leave a Reply