14 DAY TRIAL // A zero-day vulnerability which allowed attackers to install a backdoor in the ProFTPD source code packages last month has been patched in the newly released 1.3.3d version.
ProFTPD is one of the most popular open source FTP server implementations. It is designed to run on most *NIX flavored operating systems, such as Linux, BSD, Mac OS X and Solaris.
At the end of November, unidentified hackers compromised the project's main distribution server at ftp.proftpd.org and added a backdoor to the official ProFTPD 1.3.3c source code.
The backdoor allowed attackers to obtain root shells on servers running the rigged version of ProFTPD by simply sending a command called "HELP ACIDBITCHEZ" to them.
When the security breach was discovered a few days later, TJ Saunders, the ProFTPD maintainer, said that hackers most likely exploited an unpatched vulnerability to break into ftp.proftpd.org.
That flaw turned out to be a buffer overflow condition in the sql_prepare_where() function, which was publicly disclosed in the November issue of the Phrack security magazine.
For some reason, this disclosure still hadn't made it to the ears of ProFTPD contributors ten days later, when hackers took advantage of it to compromise the distribution server.
In addition to the sql_prepare_where() buffer overflow, which was fixed by improving bounds checking, eleven other stability issues have been addressed in the new 1.3.3d version.
The patch was also included in the first release candidate for the upcoming ProFTPD 1.3.4 branch (1.3.4rc1), which landed at the same time as 1.3.3d.
In addition, 1.3.4rc1 contains fixes for a telenet IAC stack overflow vulnerability reported through TippingPoint's ZDI program (ZDI-CAN-925) and a directory traversal flaw (CVE-2010-3867). Both were patched last month in 1.3.3c.
Notable public FTP servers running ProFTPD include ftp.apple.com, ftp.openssl.org and ftp.rsa.com.