14 DAY TRIAL // A critical buffer overflow vulnerability, which allows attackers to execute arbitrary code from a remote location, was patched in the newly released ProFTPD 1.3.3c version.
The vulnerability was reported through TippingPoint's Zero Day Initiative (ZDI) program, which pays security researchers for zero-day flaws.
According to the ZDI upcoming advisories list, the issue was reported to the ProFTPD development team on September 24.
Vulnerability research vendor Secunia rates the flaw as highly critical and describes it as a logic error within the "pr_netio_telnet_gets()" function.
"When reading user input if a TELNET_IAC escape sequence is encountered the process miscalculates a buffer length counter value allowing a user controlled copy of data to a stack buffer.
"A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the proftpd process," the entry in the ProTFPD project's bug tracker reads.
Successful exploitation can be achieved over both FTP and FTPS (FTP over SSL/TLS) connections and doesn't require authentication.
Therefore, public FTP servers based on ProFTPD are in an immediate danger of compromise. This includes ftp.apple.com, ftp.openssl.org and ftp.rsa.com.
The project developers note that SSH/SFTP/SCP connections available through the mod_sftp module, are not affected.
The vulnerability was apparently introduced back in November 2008, during a bug fix in ProTFPD version 1.3.2rc3.
A secondary directory traversal flaw has also been addressed in the new release. It was reported by an anonymous researcher via the SecuriTeam Secure Disclosure program.
It is rated much lower because it can only be exploited if ProTFPD was compiled with mod_site_misc and if the attacker has write permission to a directory.
Successful attacks involve creating and deleting a directory located outside the writable directory, creating a symlink outside of the writable directory and modifying the time stamp of files located outside of the writable directory.
ProFTPD is a very popular FTP daemon (server) distributed under GNU GPL and capable of running on most UNIX-like systems including Linux, BSD, Mac OS X and Solaris.
The latest version of ProFTPD for Linux can be downloaded here.