Bugzilla – Bug 3519
Inappropriate directory traversal allowed by mod_site_misc
Last modified: 2010-12-18 12:50:31 UTC
This bug report was provided by an anonymous researcher working with SecuriTeam Secure Disclosure program. Synthesis --------- ProFTPd is a major Open Source FTP server: http://www.proftpd.org/ ProFTPd is for example used by ftp.apple.com, ftp.openssl.org and ftp.rsa.com. When ProFTPd is compiled with mod_site_misc and when a directory is writable, an attacker can use mod_site_misc to: - create a directory located outside the writable directory - delete a directory located outside the writable directory - create a symlink located outside the writable directory - change the time of a file located outside the writable directory Vulnerable configuration ------------------------ The following configuration is vulnerable: - ProFTPd version range 1.3.0a (2006) to 1.3.3b (latest version) - AND with the mod_site_misc module (not enabled by default in ProFTPd) - AND with a writable directory (ProFTPd has no default writable directory) The mod_site_misc module provides the following FTP commands: (http://www.proftpd.org/docs/contrib/mod_site_misc.html) - SITE MKDIR : create a directory - SITE RMDIR : delete a directory - SITE SYMLINK : create a symbolic link - SITE UTIME : change the time of a file This module is provided with ProFTPd source code, but it is not enabled by default. The ProFTPd configuration file (etc/proftpd.conf) can contain "Limit WRITE" sections to allow/deny users to write inside a directory. For example: <Anonymous ~ftp> ... # Limit WRITE everywhere in the anonymous chroot. <Limit WRITE> DenyAll </Limit> # Allow WRITE in this directory only. <Directory writableDir> <Limit WRITE> AllowAll </Limit> </Directory> </Anonymous> The default ProFTPd configuration does not contain a writable directory. Effects --------- So, this vulnerability can be used to: - create a directory located outside the writable directory - delete a directory located outside the writable directory - create a symlink located outside the writable directory - change the time of a file located outside the writable directory
Created attachment 3431 [details] Fixes bug
Created attachment 3432 [details] Updates previous patch, fixing directory walking code to deal with canonicalized paths With the fixing of the issue by canonicalizing paths, the code which walked a MKDIR directory needed to be updated to assume the now-canonicalized path, rather than assuming a relative path.
Patch committed to CVS, with accompanying regression tests. Backported to 1.3.3 branch.
I should add that there is a workaround configuration that can be used, to mitigate the buggy behavior until a patched mod_site_misc can be deployed: <Limit SITE_MKDIR SITE_RMDIR SITE_SYMLINK SITE_UTIME> DenyAll </Limit> will deny the use of any of the problematic commands.
The vulnerability in question was present when mod_site_misc first appeared in the proftpd distribution, which was version 1.2.10rc1.
For future reference, the CVE for this vulnerability is: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3867
Resolved in 1.3.4rc1.