proftpd-basic: command line split CSRF

Debian Bug report logs - #502674
proftpd-basic: command line split CSRF

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ian Beckwith <ianb@erislabs.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: proftpd-basic: command line split CSRF

Date: Sun, 19 Oct 2008 01:46:05 +0100

Package: proftpd-basic
Version: 1.3.1-14
Severity: grave
Tags: security
Justification: user security hole

Hi,

proftpd in debian is vulnerable to CVE-2008-4242:

> ProFTPD 1.3.1 interprets long commands from an FTP client as
> multiple commands, which allows remote attackers to conduct
> cross-site request forgery (CSRF) attacks and execute arbitrary FTP
> commands via a long ftp:// URI that leverages an existing session
> from the FTP client implementation in a web browser.

See:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4242

http://securityreason.com/achievement_securityalert/56

http://bugs.proftpd.org/show_bug.cgi?id=3115

There is a patch in proftpd CVS (src/netio.c 1.34 and src/main.c
1.345), but it will need backporting to the version in Debian.

The equivalent bugs in ftpd and ftpd-ssl are #500278 and #500518, but
the codebase has diverged enough that the patches aren't applicable.

To test for the vulnerability:

$  perl -e 'print "A"x1022,"QUIT\n"' | nc localhost 21
220 ProFTPD 1.3.1 Server (Debian) [10.1.1.2]
500 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA not understood
221 Goodbye.


This splits the command-line and then incorrectly honours the QUIT.

Ian.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages proftpd-basic depends on:
ii  adduser                   3.110          add and remove users and groups
ii  debconf                   1.5.24         Debian configuration management sy
ii  debianutils               2.30           Miscellaneous utilities specific t
ii  libacl1                   2.2.47-2       Access control list shared library
ii  libattr1                  1:2.4.43-1     Extended attribute shared library
ii  libc6                     2.7-15         GNU C Library: Shared libraries
ii  libcap1                   1:1.10-14      support for getting/setting POSIX.
ii  libncurses5               5.6+20081011-1 shared libraries for terminal hand
ii  libpam-runtime            1.0.1-4        Runtime support for the PAM librar
ii  libpam0g                  1.0.1-4        Pluggable Authentication Modules l
ii  libssl0.9.8               0.9.8g-13      SSL shared libraries
ii  libwrap0                  7.6.q-16       Wietse Venema's TCP wrappers libra
ii  netbase                   4.34           Basic TCP/IP networking system
ii  sed                       4.1.5-8        The GNU sed stream editor
ii  ucf                       3.0010         Update Configuration File: preserv
ii  update-inetd              4.31           inetd configuration file updater

proftpd-basic recommends no packages.

Versions of packages proftpd-basic suggests:
ii  openssl                       0.9.8g-13  Secure Socket Layer (SSL) binary a
pn  proftpd-doc                   <none>     (no description available)
pn  proftpd-mod-ldap              <none>     (no description available)
pn  proftpd-mod-mysql             <none>     (no description available)
pn  proftpd-mod-pgsql             <none>     (no description available)

-- debconf information:
* shared/proftpd/inetd_or_standalone: from inetd

Message #10 received at 502674@bugs.debian.org (full text, mbox, reply):

From: "Francesco P. Lovergine" <frankie@debian.org>

To: Ian Beckwith <ianb@erislabs.net>, 502674@bugs.debian.org

Subject: Re: Bug#502674: proftpd-basic: command line split CSRF

Date: Sun, 19 Oct 2008 10:59:17 +0200

On Sun, Oct 19, 2008 at 01:46:05AM +0100, Ian Beckwith wrote:
> Package: proftpd-basic
> Version: 1.3.1-14
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi,
> 
> proftpd in debian is vulnerable to CVE-2008-4242:
> 
> > ProFTPD 1.3.1 interprets long commands from an FTP client as
> > multiple commands, which allows remote attackers to conduct
> > cross-site request forgery (CSRF) attacks and execute arbitrary FTP
> > commands via a long ftp:// URI that leverages an existing session
> > from the FTP client implementation in a web browser.
> 
> See:
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4242
> 
> http://securityreason.com/achievement_securityalert/56
> 
> http://bugs.proftpd.org/show_bug.cgi?id=3115
> 
> There is a patch in proftpd CVS (src/netio.c 1.34 and src/main.c
> 1.345), but it will need backporting to the version in Debian.
> 
> The equivalent bugs in ftpd and ftpd-ssl are #500278 and #500518, but
> the codebase has diverged enough that the patches aren't applicable.
> 
> To test for the vulnerability:
> 
> $  perl -e 'print "A"x1022,"QUIT\n"' | nc localhost 21
> 220 ProFTPD 1.3.1 Server (Debian) [10.1.1.2]
> 500 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA not understood
> 221 Goodbye.
> 
> 
> This splits the command-line and then incorrectly honours the QUIT.
> 
> Ian.
> 

Ah thanks for detailed the report, indeed it requires a specific lengths for
the exploiting buffer, that motivates the reason for having not matched it
when tried some weeks ago. It indeed applies also to 1.3.0 on etch.
Ok, let's patch...

-- 
Francesco P. Lovergine

Message #15 received at 502674-close@bugs.debian.org (full text, mbox, reply):

From: Francesco Paolo Lovergine <frankie@debian.org>

To: 502674-close@bugs.debian.org

Subject: Bug#502674: fixed in proftpd-dfsg 1.3.1-15

Date: Sun, 19 Oct 2008 21:02:50 +0000

Source: proftpd-dfsg
Source-Version: 1.3.1-15

We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive:

proftpd-basic_1.3.1-15_i386.deb
  to pool/main/p/proftpd-dfsg/proftpd-basic_1.3.1-15_i386.deb
proftpd-dfsg_1.3.1-15.diff.gz
  to pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-15.diff.gz
proftpd-dfsg_1.3.1-15.dsc
  to pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-15.dsc
proftpd-doc_1.3.1-15_all.deb
  to pool/main/p/proftpd-dfsg/proftpd-doc_1.3.1-15_all.deb
proftpd-mod-ldap_1.3.1-15_i386.deb
  to pool/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-15_i386.deb
proftpd-mod-mysql_1.3.1-15_i386.deb
  to pool/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-15_i386.deb
proftpd-mod-pgsql_1.3.1-15_i386.deb
  to pool/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-15_i386.deb
proftpd_1.3.1-15_all.deb
  to pool/main/p/proftpd-dfsg/proftpd_1.3.1-15_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 502674@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Francesco Paolo Lovergine <frankie@debian.org> (supplier of updated proftpd-dfsg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 21 Sep 2008 23:32:46 +0200
Source: proftpd-dfsg
Binary: proftpd proftpd-basic proftpd-doc proftpd-mod-mysql proftpd-mod-pgsql proftpd-mod-ldap
Architecture: source i386 all
Version: 1.3.1-15
Distribution: unstable
Urgency: high
Maintainer: Francesco Paolo Lovergine <frankie@debian.org>
Changed-By: Francesco Paolo Lovergine <frankie@debian.org>
Description: 
 proftpd    - versatile, virtual-hosting FTP daemon
 proftpd-basic - versatile, virtual-hosting FTP daemon - binaries
 proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
 proftpd-mod-ldap - versatile, virtual-hosting FTP daemon - LDAP module
 proftpd-mod-mysql - versatile, virtual-hosting FTP daemon - MySQL module
 proftpd-mod-pgsql - versatile, virtual-hosting FTP daemon - PostgreSQL module
Closes: 502674
Changes: 
 proftpd-dfsg (1.3.1-15) unstable; urgency=high
 .
   * Fixed debian/changelog for wrongly close #496622 instead of #497622.
   * [PATCH,SECURITY] New 3115.dpatch.
     Fixes a cross-site forgery based on long command use, CVE-2008-4242.
     (closes: #502674)
Checksums-Sha1: 
 c97d15973d5a676d5cc8ffb7a7dd9b2d159f1f3b 1321 proftpd-dfsg_1.3.1-15.dsc
 b1b9f5182abbcb32a720e1f69a34318f3f5a3309 97531 proftpd-dfsg_1.3.1-15.diff.gz
 c3129f4d874546f23416923eaf5001db3615c292 684572 proftpd-basic_1.3.1-15_i386.deb
 1fb2939fd4614b8c4058c407272c56f21d0c1d29 202492 proftpd-mod-mysql_1.3.1-15_i386.deb
 dc89a972648ebcfcb9e6a55ae6a03125a6d1c6e2 201842 proftpd-mod-pgsql_1.3.1-15_i386.deb
 a28b40c5ab1750f2b7dd5e807758a249db5edf23 211834 proftpd-mod-ldap_1.3.1-15_i386.deb
 9d6a24c5674d59ddb0243fdc8507c3e558894b50 194510 proftpd_1.3.1-15_all.deb
 63046615a4e1e4f98a7c128f9ea6ce14bdc9082c 1255916 proftpd-doc_1.3.1-15_all.deb
Checksums-Sha256: 
 ebfe8803edae5d06a1bbb1c7e0f7c447eb63d16ea6228025227093f67496f494 1321 proftpd-dfsg_1.3.1-15.dsc
 f684002fae48a0d05a38ed5cad89164b6064a24f248720553b04cf6bb1941a3a 97531 proftpd-dfsg_1.3.1-15.diff.gz
 27499a107490259efd00992dd41364b6c363dfb7f5f1cb832f23fc5634ac4260 684572 proftpd-basic_1.3.1-15_i386.deb
 ceecc9f7118a51223635ad2d807a75a7f3e29346eca51b906edbd20b2040b70c 202492 proftpd-mod-mysql_1.3.1-15_i386.deb
 15a87d18e72e2d0675c2f0178ff89eb2dd5835db2908b54908d337d3cf18982c 201842 proftpd-mod-pgsql_1.3.1-15_i386.deb
 e4c801e4db9c0e33e15c8d2b94aa3e44ac7f30b3847e213bd2b200d3af8a3a99 211834 proftpd-mod-ldap_1.3.1-15_i386.deb
 d7b6137f6ef1595cf23df489d3e950a41ff827c60a61adc42f5ac6ee0642b4e5 194510 proftpd_1.3.1-15_all.deb
 be06f886d32cdd5bd001f532c77b82eec92db29c5b82f544cfbe69cdf35ae94b 1255916 proftpd-doc_1.3.1-15_all.deb
Files: 
 981d660d3a7aa5d17974ce0b5b92b155 1321 net optional proftpd-dfsg_1.3.1-15.dsc
 1e5840dc6945b7e97e640a87bfc44581 97531 net optional proftpd-dfsg_1.3.1-15.diff.gz
 e0fefa3fc3a8fba71bce622056180eef 684572 net optional proftpd-basic_1.3.1-15_i386.deb
 5f551dcc2644e34f3395b45ccbd9b779 202492 net optional proftpd-mod-mysql_1.3.1-15_i386.deb
 5c78b2dd0dfb539c0ff048475e923a5d 201842 net optional proftpd-mod-pgsql_1.3.1-15_i386.deb
 0a6161368d0b0af7de9794cbb0c1d047 211834 net optional proftpd-mod-ldap_1.3.1-15_i386.deb
 ec50823f6dc277dad1b271cd2f6fb4a0 194510 net optional proftpd_1.3.1-15_all.deb
 f556b945768c47be6df29a55d946fa4b 1255916 doc optional proftpd-doc_1.3.1-15_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkj7nfUACgkQpFNRmenyx0drPACfcornqvDnsU+6wF21cthTxKF9
AaAAoPufOw5rPBEWDN+KSCihkxxoHGFU
=bHMu
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.