Your message dated Tue, 16 Nov 2010 11:51:49 +0100
with message-id <[email protected]>
and subject line Re: Bug#603555: Security issue in proftpd-basic (1.3.3a-5)
has caused the Debian Bug report #603555,
regarding Security issue in proftpd-basic (1.3.3a-5)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
603555: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603555
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: proftpd-basic
Version: 1.3.3a-5
Hi,
My server just got rooted and what I've done for now, to dig into what
could have
been the leak, points to proftpd, mod_facl in particular.
I won't have a way to dig further until this evening (UTC+1 local time),
but it is a testing(squeeze) debian almost up to date with only ssh,
apache and
proftpd available from the outside.
Here is the logcheck notification that lead me to think mod_facl is
guilty:
Nov 14 05:55:50 carmgate useradd[27810]: new group: name=psadmin, GID=1002
Nov 14 05:55:50 carmgate useradd[27810]: new user: name=psadmin, UID=1002,
GID=1002, home=/home/psadmin, shell=/bin/sh
Nov 14 05:55:50 carmgate proftpd[9638]: error: duplicate fs paths not
allowed: '/'
Nov 14 05:55:50 carmgate proftpd[9638]: mod_facl/0.4: error registering
'facl' FS: Operation not permitted
Nov 14 05:55:50 carmgate proftpd[9638]: mod_dso/0.5: module 'mod_facl.c'
failed to initialize
Nov 14 05:55:50 carmgate proftpd[9638]: Fatal: LoadModule: error loading
module 'mod_facl.c': Operation not permitted on line 86 of
'/etc/proftpd/modules.conf'
After this, I ve had a tiger notification that might show other
vulnerability (but on those one, I could be the guilty one):
# Performing check of user accounts...
NEW: --WARN-- [acc006w] Login ID userx's home directory (/tmp) has world
write access.
# Performing check of passwd files...
NEW: --WARN-- [pass002w] UID 0 exists multiple times (2) in /etc/passwd.
NEW: --WARN-- [pass002w] UID 9 exists multiple times (2) in /etc/passwd.
NEW: --WARN-- [pass017w] Login ID default has uid == 0.
# Checking the format of passwd and group files.
NEW: --FAIL-- [pass009f] Login default has a group id of 1 which should be
reserved for bin or daemon.
NEW: --FAIL-- [pass009f] Login default has a user id of 0 which should be
reserved for root
NEW: --FAIL-- [pass009f] Login default has an unusual password content.
NEW: --FAIL-- [pass009f] Login userx has an unusual password content.
NEW: --WARN-- [pass002w] File /etc/passwd has duplicate user ids:
NEW: default 0 root 0 news 9 userx 9
I dont know if the vulnerability in proftpd is a new one but I found no
trace of such a thing by googling or browsing proftpd or debian bug
trackers, so I assume I am one of the lucky first to encounter this
(or else, I am just not good enough at finding bugs on trackers).
I'll add information to the bug as I get them as soon as I can log on the
server.
Best regards,
Carm
--- End Message ---
--- Begin Message ---
Ok, closing as requested by submitter.
On Tue, Nov 16, 2010 at 08:39:41AM +0100, Jean Couillaud wrote:
>
> Ok, I've little more information unfortunately ...
> First, though, I checked the apt history, and what I purged was
> proftpd-basic:i386 (1.3.3a-4)
> I found no trace of the config files removed thx to the --purge flag. I
> could try to use some forensic tool, but I am not sure it's worth the
> effort if the 1.3.3a-4 package holded a proftpd version vulnerable to the
> IAC Remote Root issue.
>
--
Francesco P. Lovergine
--- End Message ---
