November 15, 2010

ProFTPD Remote Code Execution Vulnerability and Exploit

FIXES FOR THE VULNERABILTY AND EXPLOIT

Parallels has used its micro-update patch functionality in Plesk 9.5x, Plesk 10, and Small Business Panel 10.2 to fix this exploit. You can run the Parallels AutoInstaller to fix this or check the Updates section of your Plesk Panel 9.5x, Plesk 10, or Small Business Panel 10.2 to fix this. This is a file-replace, as opposed to a new install so it will be quick and reliable. To find this in the GUI:

  Parallels Plesk Panel 9.5x: "Home" -> "Updates" -> Select the Panel version which has updates -> click "Install"
  Parallels Plesk Panel 10.x: "Server Management" -> "Tools & Utilities" -> "Updates" -> "Update Components" -> click "Continue"
  Parallels Small Business Panel: "Settings" -> "Updates" -> "Continue"

See below on this page for details showing this step by step in screen shots.

These ProFTPD fixes are also available from the Parallels AutoInstaller for Plesk 9.52, 9.53, and Plesk 10.01. You should already have downloaded this as part of Plesk. Use:

# $PRODUCT_ROOT_D/admin/sbin/autoinstaller

Or use the following parameters:

# $PRODUCT_ROOT_D/admin/sbin/autoinstaller --select-product-id plesk --select-release-current --reinstall-patch --install-component base

$PRODUCT_ROOT_D/admin/sbin/autoinstaller --select-product-id ppsmbe --select-release-current --reinstall-patch --install-component base

Note! the "$PRODUCT_ROOT_D" variable in the command should be replaced with its value according to http://kb.parallels.com/en/952

For Small Business Panel use:
$PRODUCT_ROOT_D/admin/sbin/autoinstaller --select-product-id ppsmbe --select-release-current --reinstall-patch --install-component base

Details on this are below.

IMPACTED PLESK VERSIONS
Parallels Plesk Panel 9.5x and 10 include this vulnerability (no prior versions have that component). Parallels Small Business Panel 10.2 is also affected.

OVERVIEW OF THE VULNERABILITY AND EXPLOIT
A flaw in the popular ProFTPD FTP server potentially allows unauthenticated attackers to compromise a server. The problem is caused by a buffer overflow in the pr_netio_telnet_gets() function for evaluating TELNET IAC sequences.

ProFTPD bug report: http://bugs.proftpd.org/show_bug.cgi?id=3521

DETAILS ON THE VULNERABILITY AND EXPLOIT:
ProFTPD is capable of processing TELNET IAC sequences on port 21; the sequences enable or disable certain options not supported by the Telnet or FTP protocol itself. The buffer overflow allows attackers to write arbitrary code to the application’s stack and launch it. Updating to version 1.3.3c of ProFTPD solves the problem. The update also fixes a directory traversal vulnerability which can only be exploited if the "mod_site_misc" module is loaded. This flaw could allow attackers with write privileges to leave their permitted path and delete directories or create symbolic links outside of the path. The module is not loaded or compiled by default.

STEP-BY-STEP GUIDANCE ON USING MICRO UPDATES IN PLESK 9.5x and 10.x

NOTE: For installing Micro Updates in VZ Templates, please see this link: http://kb.parallels.com/7110

There are two ways to install micro-updates for Parallels Plesk Panel – such as the ProFTPd update.

  1. Using the CLI:

    # $PRODUCT_ROOT_D/admin/sbin/autoinstaller

    Note! the "$PRODUCT_ROOT_D" variable in the command should be replaced with its value according to http://kb.parallels.com/en/952

    Or use the following parameters:

    # $PRODUCT_ROOT_D/admin/sbin/autoinstaller --select-product-id plesk --select-release-current --reinstall-patch --install-component base

    Note! the "$PRODUCT_ROOT_D" variable in the command should be replaced with its value according to http://kb.parallels.com/en/952
  2. Using Parallels Panel GUI:

    a) Parallels Plesk Panel 9.5x: "Home" -> "Updates" -> Select the Panel version which has updates -> click "Install"
    		 


    b) Parallels Plesk Panel 10.x: "Server Management" -> "Tools & Utilities" -> "Updates" -> "Update Components" -> click "Continue"


    c) Parallels Small Business Panel: "Settings" -> "Updates" -> "Continue"

CHECKING TO SEE IF MICRO-UPDATES ARE INSTALLED IN THE SYSTEM

In the CLI it is necessary to check the /root/.autoinstaller/microupdates.xml file:

# cat /root/.autoinstaller/microupdates.xml

It should contain the latest patch version:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<patches>
  <product id="plesk" version="10.0.1">
    <patch version="1" timestamp=""/>
  </product>
</patches>

This text means that MU #1 is installed on the Parallels Panel. For example, if you see <patch version="6" timestamp="" />, that means that MU #6 is installed.

 
 
 
 
 
 
For Home
For Hosters
For SaaS
For IaaS
For Developers
For Health Care
 
Desktop Virtualization
- Parallels Desktop 7 for Mac
- Parallels Transporter
- Parallels Mobile
- Parallels Desktop Switch to Mac Edition
- Parallels Workstation
- Parallels Workstation Extreme
- Parallels Desktop for Mac Enterprise Edition
Server Virtualization
- Parallels Server for Mac 4.0
- Parallels Server for Mac 4.0 Mac mini Edition
- Parallels Server Bare Metal
- Parallels Virtuozzo Containers
Automation
- Parallels Operations Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation
- Parallels Business Automation Standard
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
- Parallels Small Business Panel
- Parallels Domain/SSL Reseller Program
- Parallels Partner Storefront
More Products