Re: [suse-security] proFTP remote exploit?
suse-security@fortytwo.ch (Adrian von Bidder) writes:
acidrain@HACKBOX.COM posted a proftpd exploit (buffer overflow, it seems) some days ago (27.8.). Does somebody know of the proFTPd release used in SuSE 6.0/6.1/6.2 are vulnerable to this? Is there a new rpm that is not vulnerable?
There seems to be no rpm yet, but a new version is available. It is not stated on the site yet, but on the ProFTPD mailinglist version 1.2.0pre4 was announced, which fixes the bug that was mailed to Bugtraq this weekend. <snip from "MacGyver" <macgyver@tos.net> > Until then, I'm announcing ProFTPD 1.2.0pre4 -- this fixes the bug announced on BUGTRAQ, as well as addresses (hopefully) all the sprintf-style buffer overruns in ProFTPD. Please download, test, and knock it around. I suspect this version will still fail on FreeBSD (anyone care to offer up an account for me on a FreeBSD system to test on?). You may get 1.2.0pre4 at ftp://ftp.tos.net/pub/proftpd/. </snip> The problem is that I get a lot of errors when I try to compile the package under SuSE 6.2. :-( Regards, Jochen -- *** Linux BBS: Die deutsche Website fuer Linux-News und -Infos *** http://www.linuxbbs.org/
Jochen Lillich wrote:
The problem is that I get a lot of errors when I try to compile the package under SuSE 6.2. :-(
Regards, Jochen
The solution is to quit trying to "fix" something that isn't broke. SuSE 6.2 uses wuftp not proFTP, the bug doesn't apply.
However, with the many security problems that wu-ftpd has had in the past, many of us have simply switched to ProFTPD (which is included in the 6.1 disk set). I thought that ProFTPD was the default ftpd install on 6.2 (except that wu-ftpd is for some reason still set up in inetd.conf)? Cheers, Gregory Conron And for the record, I also get compile error complaints when compiling that latest ProFTPD rpm (SuSE 6.1, kernel 2.2.7).. "J.D.K. Chipps" wrote:
Jochen Lillich wrote:
The problem is that I get a lot of errors when I try to compile the package under SuSE 6.2. :-(
Regards, Jochen
The solution is to quit trying to "fix" something that isn't broke.
SuSE 6.2 uses wuftp not proFTP, the bug doesn't apply.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hello! Gregory Conron wrote: [Snip]
And for the record, I also get compile error complaints when compiling that latest ProFTPD rpm (SuSE 6.1, kernel 2.2.7).. [Snip]
Jochen Lillich wrote:
The problem is that I get a lot of errors when I try to compile the package under SuSE 6.2. :-(
Which compiler are you two using? I had success with the following combination: SuSE 6.1 with all upgrades avaiblable until 25.08.99 Kernel 2.2.10 (Compiled with sources of kernel.org) egcs 1.1.2 (Sources from cygnus, self compiled with the egcs 1.? from SuSE 6.1) (ftp://egcs.cygnus.com/pub/egcs/releases/egcs-1.1.2/egcs-1.1.2.tar.bz2) proftpd-1.2.0.pre4 (via http://freshmeat.net) Since I upgraded the compiler to gcc 2.95.1 (ftp://egcs.cygnus.com/pub/egcs/releases/gcc-2.95.1/gcc-2.95.1.tar.bz2) two days ago, I just tried this one too. It works! BTW Jochen: Which compiler version is included with 6.2? Ciao, Martin
Hiya alltogether, regarding all those proftpd-exploits and the "emergency-style"-unofficial suse-security-announcement released this evening, and a (possible) breakin at one of our systems, I have some questions to all of you - perhaps someone can help me! 1. How exactly does the exploit work? I have some c-code from BugTraq - but how is the exploit executed? Does the offending user has to log in, or is the buffer overflow in the login-checking sequence? Does he send a file, or just a command containing the overflow + shell code? I'm not too good into reading c-code, so if somebody might give me a hint...... 2. How can I identify a hijacked system? (I've been to the cert-pages, and yes we use tripwire - but is there a "quick", proftpd-crack-specific way to determine if the attempt was successful?) 3. On the probably hijacked machine we have ended up with about 650 MB of /var/log/xferlog, near the end filled up all with ".t .t .t .t .t" and so on. We also have a new (:-(( ) file in / named .t Might this be proof of being cracked? 4. Which versions of proftpd on suse are affected? In the unofficial announcement, Marc Heuse stated that users running 6.1 are not vulnerable - the eventually hijacked box is running 6.1 with proftpd-1.2.0pre1-26 ... 5. Might the root-exploit just end up as a DoS-Attack (the machine stopped running because it ran out of space on /), if it fails, pushing the xferlog beyond a normal size? I hope, someone of you might help, as tripwire says that the box is clean - but I have a bad feeling about all this... Thanks in advance, and sleep well (it's 1:32am in germany right now)... Stefan Salzer -- Qualität ist nicht was man verspricht, sondern was man hält! ======================================================================== = Wollen Sie unseren kostenlosen Newsletter "cinNews" beziehen? = = unter http://news.cin.de können Sie ihn abonnieren! = = -------------------------------------------------------------------- = = Stefan Salzer e-Mail: salt@cin.de = = Connect Internetworking Telefon: +49 6106 8498 0 = = Hauptstr. 139 Telefax: +49 6106 8498 299 = = 63110 Rodgau WWW: http://www.cin.de = = Germany = ========================================================================
Hi all, Seems I am getting scanned from 195.252.142.6. What can anyone tell me about the type of scan (aside from the fact s/he is using nmap) and the flags set? Something to worry about, or just someone scanning a block of IPs looking for an a possible exploit? The log from /var/log/warn is attached below, and the address is mail.tli.de Thanks, Gregory Conron --- /var/log/warn Sep 11 22:14:59 Lucia scanlogd: From 195.252.142.6:20 to 24.222.24.206 ports 2558, 2559, 2560, 2561, 2562, 2563, 2564, 2565, 2566, ..., flags ??r??u, TOS 08, TTL 236, started at 22:14:51 Sep 11 22:18:01 Lucia scanlogd: From 195.252.142.6:20 to 24.222.24.206 ports 4102, 4115, 4128, 4153, 4166, 4179, 4204, 4218, 4231, ..., flags ??r??u, TOS 08, TTL 236, started at 22:17:54 Sep 11 22:18:36 Lucia scanlogd: From 195.252.142.6:20 to 24.222.24.206 ports 4936, 4961, 4974, 4999, 1038, 1052, 1073, 1100, 1120, ..., flags ??r??u, TOS 08, TTL 236, started at 22:18:29
participants (5)
-
Gregory Conron -
J.D.K. Chipps -
Jochen Lillich -
Martin Schneider -
Stefan Salzer