[VIM] ProFTPD mess from 1999
Brian Martin
bmartin at tenablesecurity.com
Wed Feb 4 06:32:27 UTC 2009
Back in the day, there was a mess of ProFTPd vulnerabilities posted. It
appears that they ended up as one CVE entry even though there were at least
three distinct issues posted. It gets worse if you look at the vendor
changelog for that time period, suggesting there may have been many more
vulnerabilities fixed.
I ran across this mess a few nights ago at the end of my work day (4AM) and
gave George a heads-up. He looked at the three issues (Nessus has had plugins
for each for some time) and added mail list references to each to help me
distinguish them, saving me a lot of time and a royal headache. After that I
did some more research because neither of us were sure if one issue was fixed
by a specific release.
All in all, this should clear up a lot of confusion over these old issues, and
possibly point out there are additional vulnerabilities that should be documented.
proftpd_mkdir_overflow.nasl (Plugin 10189), OSVDB 144:
exploit for 1.2.0pre1 - 1.2.0pre3 posted by acidrain at HACKBOX.COM:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0632.html
temporary workaround:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0649.html
patch, says issue is due to src/log.c log_xfer() function:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0651.html
second exploit for same issue:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0653.html
fix, up to 1.2.0pre4 ?:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0676.html
At this point, it isn't fully clear if 1.2.0pre4 fixed the issue. While the
timing of the vendor's mail (Aug 30) referring to the 'exploit this weekend'
(Aug 27) seems straight-forward, the vendor's changelog has what appears to be
a fix some 10 before that. The same changelog does not have consistent
reference to release versions either.
1999-09-07 16:09 macgyver
* modules/: mod_auth.c, mod_log.c, mod_ls.c, mod_site.c, mod_tar.c,
mod_test.c, mod_unixpw.c, mod_xfer.c: Removed unsafe buffer copies
that may have been potential problems. Implemented the 'real'
patch for the MKD/log security issues.
proftpd_overflow.nasl (Plugin 10190), OSVDB 51719:
mkdir attack against 1.2.0pre4, discovered by Renaud:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0816.html
proftpd_pre6_exploit.nasl (Plugin 10191), OSVDB 51720:
vague warning 1.2.0pre6 is vuln by tymm at COE.MISSOURI.EDU:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0974.html
patch for vuln:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0995.html
exploit, NLST overflow POC, 1.2.0pre7 should fix:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/1009.html
Now, the real mess. The following is from the Changelog distributed with
1.2.5, the oldest version I saw available on ftp.proftpd.org.
These are the only three entries related to versions:
1999-10-04 16:35 macgyver
* include/version.h: Updated to pre8.
1999-09-16 20:55 macgyver
* include/version.h: Bumped version number.
1999-03-09 17:19 flood
* changelog, include/version.h: Version 1.2.0pre3
There is a huge gap between pre3 and pre8 time wise, with only one indication
of "bumped version number", not much help. Then it goes downhill.. look at all
of the security related fixes (and a few that may be, but not clear):
[..]
1999-09-29 23:10 macgyver
* modules/mod_auth.c: Fix a potential security hole.
1999-09-17 00:31 macgyver
* contrib/mod_mysql.c, contrib/mod_ratio.c, include/support.h,
modules/mod_auth.c, modules/mod_core.c, modules/mod_log.c,
modules/mod_ls.c, modules/mod_pam.c, modules/mod_tar.c,
modules/mod_test.c, modules/mod_xfer.c, src/auth.c, src/dirtree.c,
src/fs.c, src/ftpcount.c, src/log.c, src/main.c, src/pool.c,
src/support.c, src/utils.c: Implemented sstrncpy to handle proper
buffer copying issues on all platforms.
1999-09-16 21:06 macgyver
* src/log.c: More intelligent handling of logfiles to avoid a
potential race condition.
1999-09-16 00:42 macgyver
* src/main.c: Fixed a silly, yet insidious, way to overflow a
buffer.
1999-09-10 00:46 macgyver
* src/support.c: Fixed remaining buffer issues in sreplace.
1999-09-07 16:13 macgyver
* contrib/mod_ratio.c: Fixed some potential buffer issues.
1999-09-07 16:13 macgyver
* contrib/mod_pam.c: Some minor security updates to fix potential
buffer problems.
1999-09-07 16:09 macgyver
* modules/: mod_auth.c, mod_log.c, mod_ls.c, mod_site.c, mod_tar.c,
mod_test.c, mod_unixpw.c, mod_xfer.c: Removed unsafe buffer copies
that may have been potential problems. Implemented the 'real'
patch for the MKD/log security issues.
1999-09-07 16:08 macgyver
* modules/mod_core.c: Added in Bandwidth patch for bandwidth
control. Security cleanups -- removed lots of unsafe buffer
copies.
1999-01-27 14:06 flood
* changelog, include/support.h, modules/mod_ls.c, src/fs.c,
src/support.c: More possibly MKD/CWD 'sploits fixed, and mod_ls
workin well.
[..]
If you count the ones that are clearly security related, there are more than 3
issues fixed. The 1999-09-17 fix includes src/log.c in the sstrncpy fixes, so
that is ten days before the first exploit was published. We don't know if
he fixed it in advance in the dev tree, and someone found it shortly after, or
if this was a second distinct issue fixed before the the one posted. Mention
of a race condition in log.c, overflow in main.c and "buffer issues" all over
the place. mod_pam.c "buffer problems" are definitely security related.
1999-09-07 and 1999-01-27 mention the MKD security issues, the 1999-01-27
entry may correspond to the Bindview 'palmetto' vulnerability (information
forthcoming shortly that may clear that up). The 1999-09-07 mention of MKD
says it is the 'real' patch for the "MKD/log security issues", which closely
matches the disclosure 10 days later.
When I get time (after ShmooCon probably), I will try to sort out the
changelog better and create entries on OSVDB as needed.
Brian
Tenable Network Security
More information about the VIM
mailing list