Secure testing team - Oct 2008 - Bug#502674: proftpd-basic: command line split CSRF

Package: proftpd-basic
Version: 1.3.1-14
Severity: grave
Tags: security
Justification: user security hole

Hi,

proftpd in debian is vulnerable to CVE-2008-4242:
> ProFTPD 1.3.1 interprets long commands from an FTP client as
> multiple commands, which allows remote attackers to conduct
> cross-site request forgery (CSRF) attacks and execute arbitrary FTP
> commands via a long ftp:// URI that leverages an existing session
> from the FTP client implementation in a web browser.
See:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4242

http://securityreason.com/achievement_securityalert/56

http://bugs.proftpd.org/show_bug.cgi?id=3115

There is a patch in proftpd CVS (src/netio.c 1.34 and src/main.c
1.345), but it will need backporting to the version in Debian.

The equivalent bugs in ftpd and ftpd-ssl are #500278 and #500518, but
the codebase has diverged enough that the patches aren''t applicable.

To test for the vulnerability:

$  perl -e ''print "A"x1022,"QUIT\n"'' | nc
localhost 21
220 ProFTPD 1.3.1 Server (Debian) [10.1.1.2]
500
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
not understood
221 Goodbye.


This splits the command-line and then incorrectly honours the QUIT.

Ian.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, ''unstable'')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages proftpd-basic depends on:
ii  adduser                   3.110          add and remove users and groups
ii  debconf                   1.5.24         Debian configuration management sy
ii  debianutils               2.30           Miscellaneous utilities specific t
ii  libacl1                   2.2.47-2       Access control list shared library
ii  libattr1                  1:2.4.43-1     Extended attribute shared library
ii  libc6                     2.7-15         GNU C Library: Shared libraries
ii  libcap1                   1:1.10-14      support for getting/setting POSIX.
ii  libncurses5               5.6+20081011-1 shared libraries for terminal hand
ii  libpam-runtime            1.0.1-4        Runtime support for the PAM librar
ii  libpam0g                  1.0.1-4        Pluggable Authentication Modules l
ii  libssl0.9.8               0.9.8g-13      SSL shared libraries
ii  libwrap0                  7.6.q-16       Wietse Venema''s TCP
wrappers libra
ii  netbase                   4.34           Basic TCP/IP networking system
ii  sed                       4.1.5-8        The GNU sed stream editor
ii  ucf                       3.0010         Update Configuration File: preserv
ii  update-inetd              4.31           inetd configuration file updater

proftpd-basic recommends no packages.

Versions of packages proftpd-basic suggests:
ii  openssl                       0.9.8g-13  Secure Socket Layer (SSL) binary a
pn  proftpd-doc                   <none>     (no description available)
pn  proftpd-mod-ldap              <none>     (no description available)
pn  proftpd-mod-mysql             <none>     (no description available)
pn  proftpd-mod-pgsql             <none>     (no description available)

-- debconf information:
* shared/proftpd/inetd_or_standalone: from inetd