Jump to content

Proftpd 1.3.3c Compromised Source Remote Root Trojan


digip
 Share

Recommended Posts

Whether you run it at home, work, your website, etc, be sure to find out if you are vulnerable. This is not a matter of some flaw that could lead to compromise from a remote attack, but instead this was planted directly in the source files for all synced distributors of the legit software, leaving any new installs or upgrades vulnerable to attack if they met the following criteria.

== ProFTPD Compromise Report ==

On Sunday, the 28th of November 2010 around 20:00 UTC the main

distribution server of the ProFTPD project was compromised. The

attackers most likely used an unpatched security issue in the FTP daemon

to gain access to the server and used their privileges to replace the

source files for ProFTPD 1.3.3c with a version which contained a backdoor.

The unauthorized modification of the source code was noticed by

Daniel Austin and relayed to the ProFTPD project by Jeroen Geilman on

Wednesday, December 1 and fixed shortly afterwards.

The fact that the server acted as the main FTP site for the ProFTPD

project (ftp.proftpd.org) as well as the rsync distribution server

(rsync.proftpd.org) for all ProFTPD mirror servers means that anyone who

downloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28

to 2010-12-02 will most likely be affected by the problem.

The backdoor introduced by the attackers allows unauthenticated users

remote root access to systems which run the maliciously modified version

of the ProFTPD daemon.

Users are strongly advised to check systems running the affected code for

security compromises and compile/run a known good version of the code.

To verify the integrity of the source files, use the GPG signatures

available on the FTP servers as well on the ProFTPD homepage at

Read more: http://www.exploit-db.com/exploits/15662/

Edited by digip
Link to comment
Share on other sites

If anyone is interested in playing with exploits/trojans and getting an idea how they work this is a great one to start with. The actual backdoor is a single line of code and then there is a call home script and a modification to the configure file to get it all in place and tidy up.

I don't like the fact it was done but it is a very neat bit of work that is definitely worth looking at.

Link to comment
Share on other sites

If anyone is interested in playing with exploits/trojans and getting an idea how they work this is a great one to start with. The actual backdoor is a single line of code and then there is a call home script and a modification to the configure file to get it all in place and tidy up.

I don't like the fact it was done but it is a very neat bit of work that is definitely worth looking at.

I'd be more interested in how they got into the ProFTPD site to seed all the backdoors.

Thats a pretty epic hack, but not the first of its kind. No one is safe from this sort of thing, its just a matter of whether or not its detected or known about.

There was the LCD Picture frame fiasco from a few years ago, then there was Windows itself that used to install malware to users when updating (I think) Internet Explorer in one of its .chm Help files back in the day, and there was the iPods that shipped with a windows virus and would infect the system when plugged in for the first time via USB. There were even the Cisco or Juniper routers (can't remember who exactly) that shipped with hardware backdoors and faulty encryption keys. One of my Cisco teachers who works for an Aeronautics company had that happen to them and all the hardware had to be destroyed due to backdoors put in the hardware itself before it shopped from an overseas order. I just wonder how they catch these sort of things before deployment in the production environment, because they caught it before they installed any of the devices.

Link to comment
Share on other sites

Could it have been an insider, or they somehow overlooked their security and someone managed to break in.

Link to comment
Share on other sites

This is what they think happened http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org

On Sunday, the 28th of November 2010 around 20:00 UTC the main

distribution server of the ProFTPD project was compromised. The

attackers most likely used an unpatched security issue in the FTP daemon

to gain access to the server and used their privileges to replace the

source files for ProFTPD 1.3.3c with a version which contained a backdoor.

The unauthorized modification of the source code was noticed by

Daniel Austin and relayed to the ProFTPD project by Jeroen Geilman on

Wednesday, December 1 and fixed shortly afterwards.

It doesn't say if they were actually running their own software on the FTP server so:

* They don't run the latest version of their own code

* They run other people code on their ftp server

* There is an as yet undisclosed 0-day in their server

Link to comment
Share on other sites

We're in the process of investigating the compromised host and will

provide additional information if and as it becomes available.

Source: http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org

I hope they take that as a lesson and learn from the incident and their mistakes.

So to prevent future attacks from happening again.

Edited by Infiltrator
Link to comment
Share on other sites

We're in the process of investigating the compromised host and will

provide additional information if and as it becomes available.

Source: http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org

I hope they take that as a lesson and learn from the incident and their mistakes.

So to prevent future attacks from happening again.

Thats all fine and dandy, but there is no protection if it was a non-disclosed 0-day in their server somewhere. Might not of even been a flaw in their own software. Could have been a third party issue or server vuln no one knows about.

Link to comment
Share on other sites

Thats all fine and dandy, but there is no protection if it was a non-disclosed 0-day in their server somewhere. Might not of even been a flaw in their own software. Could have been a third party issue or server vuln no one knows about.

Yeah I know you can't really prevent 0 days attacks yet, the vulnerability needs to be discovered first by someone, and then a patch worked on, so it can be applied on the flaw.

Is there a software that can find vulnerabilities inside a source code of a program? Or the only way to discover a vulnerability is through reverse engineering and looking at thousands of lines of code.

Link to comment
Share on other sites

Yeah I know you can't really prevent 0 days attacks yet, the vulnerability needs to be discovered first by someone, and then a patch worked on, so it can be applied on the flaw.

Is there a software that can find vulnerabilities inside a source code of a program? Or the only way to discover a vulnerability is through reverse engineering and looking at thousands of lines of code.

There are quite a few apps that will do static code analysis but they look for bugs rather than deliberate backdoors like this one.

Link to comment
Share on other sites

There are quite a few apps that will do static code analysis but they look for bugs rather than deliberate backdoors like this one.

Of course, I read some articles about static code analysis before, but that was on how to reverse engineer a computer worm.

But I guess the principle remains the same, if I am not wrong.

Link to comment
Share on other sites

Of course, I read some articles about static code analysis before, but that was on how to reverse engineer a computer worm.

But I guess the principle remains the same, if I am not wrong.

There are source code scanners that check for flaws, but I think you miss the point. Their source code didn't have a flaw. The attackers managed to gain access to their server and then placed a back door in their code base that synced to all the other mirroring servers. This didn't make the software flawed, it was an intentional backdoor, not some piece of code vulnerable to a heap sspray or buffer overflow. So when people updated to that specific version, their servers then became vulnerable to attack through the back door added by the attackers.

It hasn't been disclosed yet if it was a flaw in ProFTPD itself that gave them access to their files, or some other mechanism as to how they obtained access to their server, but either way, the end result was a poisoned distribution of the that version of the program.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...