Re: ProFTPD still vulnerable (Sarge)

To: Stefan Fritsch <sf@sfritsch.de>
Cc: debian-security@lists.debian.org, "Lupe Christoph"@murphy.debian.org
Subject: Re: ProFTPD still vulnerable (Sarge)
From: Lupe Christoph <" <lupe@lupe-christoph.de>"@murphy.debian.org>
Date: Thu, 30 Nov 2006 13:31:23 +0100
Message-id: <[🔎] 20061130123123.GN17888@lupe-christoph.de>
Mail-followup-to: Stefan Fritsch <sf@sfritsch.de>, debian-security@lists.debian.org, "Lupe Christoph"@murphy.debian.org
In-reply-to: <[🔎] 12751.217.111.53.98.1164887873.squirrel@eru.sfritsch.de>
References: <[🔎] 20061130062853.GM17888@lupe-christoph.de> <[🔎] 12751.217.111.53.98.1164887873.squirrel@eru.sfritsch.de>

OT: There seems to be something strange with your MUA. Look at this
header:

Cc: "Lupe Christoph"@murphy.debian.org,
        " <lupe@lupe-christoph.de>"@murphy.debian.org

On Thursday, 2006-11-30 at 12:57:53 +0100, Stefan Fritsch wrote:

> > The attacks ceased before I noticed, so I was not able to capture a TCP
> > stream. I would just like to alert people that there is still some
> > vulnerability in the ProFTPD code that was not fixed by DSA-1218-1.

> yes, there are two open vulnerabilites in proftpd. A DSA should be in the
> works, but I don't know the current status.

Good to know. I found out in the meantime that this host does not need
to expose FTP to the world, and the hole has been plugged in the
firewall. Which also means that I will not be able to get more details
from this machine. I'd need to set up a honeypot.

> One is CVE-2006-5815 and the other is a mod_tls vulnerability without CVE
> id yet. AFAIK there is no exploit for sarge's 1.2.x for CVE-2006-5815 yet.
> So I would expect this to be the mod_tls vulnerability. Do you have
> mod_tls enabled? Try connecting to your server with telnet and enter FEAT
> and see whether it returns AUTH TLS.

Nope:

211-Features:
211-MDTM
211-REST STREAM
211-SIZE
211 End

> There is a thread about this at
> http://lists.alioth.debian.org/pipermail/secure-testing-team/2006-November/000972.html

CVE-2006-5815: "Buffer overflow in ProFTPD 1.3.0 and earlier, when
configured to use the CommandBufferSize directive ...". This directive
is not in the default Debian Config file, I believe, and it isn't in the
one on that machine.

I believe this is similar to 308313 or 301275. This ProFTPD is started
from inetd, so it's probably a matter of timing if the segfault occurs
or not. If that is the case, it's not even a DoS opportunity as each
connection gets a fresh proftpd process.

Thanks for your feedback.
Lupe Christoph
-- 
| You know we're sitting on four million pounds of fuel, one nuclear     |
| weapon and a thing that has 270,000 moving parts built by the lowest   |
| bidder. Makes you feel good, doesn't it?                               |
| Rockhound in "Armageddon", 1998, about the Space Shuttle               |

Reply to:

Follow-Ups:
- Re: ProFTPD still vulnerable (Sarge)
  - From: "Stefan Fritsch" <sf@sfritsch.de>

References:
- ProFTPD still vulnerable (Sarge)
  - From: lupe@lupe-christoph.de (Lupe Christoph)
- Re: ProFTPD still vulnerable (Sarge)
  - From: "Stefan Fritsch" <sf@sfritsch.de>

Prev by Date: Re: ProFTPD still vulnerable (Sarge)
Next by Date: Re: ProFTPD still vulnerable (Sarge)
Previous by thread: Re: ProFTPD still vulnerable (Sarge)
Next by thread: Re: ProFTPD still vulnerable (Sarge)
Index(es):
- Date
- Thread