Secure testing team - May 2011 - Bug#626524: proftpd-basic: DefaultAddress 127.0.0.1 not obeyed

Package: proftpd-basic
Version: 1.3.3a-6squeeze1
Severity: grave
Tags: security
Justification: user security hole


After adding the "DefaultAddress 127.0.0.1" in the server config
section and
restarting proftpd-basic, I can see 

# /etc/init.d/proftpd restart
Stopping ftp server: proftpd.
Starting ftp server: proftpd - setting default address to 127.0.0.1
.

However, a quick "netstat -tlpe" after that shows 

# netstat -tlpe
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State   User
Inode       PID/Program name
tcp        0      0 *:ftp                   *:*                     LISTEN 
proftpd    2207704     1739/proftpd: (acce

and I have confirmed I get the initial username/password dialog when
connecting from a remote client.

This has the potential of creating a false sense of security for the
administrator:  we see the message about setting the default address to
127.0.0.1 and we expect no remote client can connect, when in fact anyone
can.  


Regards,
adc




-- System Information:
Debian Release: 6.0.1
  APT prefers stable-updates
  APT policy: (500, ''stable-updates''), (500,
''proposed-updates''), (500, ''stable'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages proftpd-basic depends on:
ii  adduser                 3.112+nmu2       add and remove users and groups
ii  debconf                 1.5.36.1         Debian configuration management sy
ii  debianutils             3.4              Miscellaneous utilities specific t
ii  libacl1                 2.2.49-4         Access control list shared library
ii  libattr1                1:2.4.44-2       Extended attribute shared library
ii  libc6                   2.11.2-10        Embedded GNU C Library: Shared lib
ii  libcap2                 1:2.19-3         support for getting/setting POSIX.
ii  libncurses5             5.7+20100313-5   shared libraries for terminal hand
ii  libpam-runtime          1.1.1-6.1        Runtime support for the PAM librar
ii  libpam0g                1.1.1-6.1        Pluggable Authentication Modules l
ii  libssl0.9.8             0.9.8o-4squeeze1 SSL shared libraries
ii  libwrap0                7.6.q-19         Wietse Venema''s TCP
wrappers libra
ii  netbase                 4.45             Basic TCP/IP networking system
ii  sed                     4.2.1-7          The GNU sed stream editor
ii  ucf                     3.0025+nmu1      Update Configuration File: preserv
ii  update-inetd            4.38+nmu1        inetd configuration file updater
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

proftpd-basic recommends no packages.

Versions of packages proftpd-basic suggests:
pn  openbsd-inetd | inet-su <none>           (no description available)
ii  openssl                 0.9.8o-4squeeze1 Secure Socket Layer (SSL) binary a
pn  proftpd-doc             <none>           (no description available)
pn  proftpd-mod-ldap        <none>           (no description available)
pn  proftpd-mod-mysql       <none>           (no description available)
pn  proftpd-mod-odbc        <none>           (no description available)
pn  proftpd-mod-pgsql       <none>           (no description available)
pn  proftpd-mod-sqlite      <none>           (no description available)

-- debconf information:
* shared/proftpd/inetd_or_standalone: standalone