ProFTPD SQL Injection Vulnerability (Feb 20, 2009)

By

The ProFTPD server is a highly configurable GPL-licensed FTP server software mainly used in Linux distributions. In addition to using the host system for authentication, ProFTPD can authenticate users using a SQL database or LDAP.

When ProFTPD is configured to use a SQL database for authentication, it escapes and expands SQL statements before passing the query onto the database. After a SQL statement is escaped, ProFTPD performs various string substitutions on the SQL statement. These substitutions are performed using the function resolve_short_tag. resolves_short_tag transforms text, which it interprets as an internal ProFTPD tag, into a value. Tags are specified as strings with % as the first character. Since the function resolve_short_tag transforms SQL statements after they are escaped, ProFTPD is vulnerable to a SQL injection attack.

A remote attacker can exploit this vulnerability by specifying a “%'” (percent + single quote) string in the username following arbitrary SQL to be executed. For example, an attacker may specify the following string as the username:

root %’) and 1=2 union SELECT 1,1,uid,gid,homedir,shell from ftpuser —

ProFTPD would perform its escaping and transformation processes, causing the following SQL statement to be sent to the database:

SELECT userid, passwd, uid, gid, homedir, shell FROM ftpuser WHERE (userid=’root {UNKNOWN TAG}’) and 1=2 union SELECT 1,1,uid,gid,homedir,shell from ftpuser — ‘) LIMIT 1

A successful attack can allow the attacker to masquerade as an authenticated user and gain unauthorized access to the FTP server and the underlying database.

The vulnerability has been assigned as CVE-2009-0542.

SonicWALL has released the following IPS signature that will detect and prevent potential attacks leveraging this vulnerability:

  • 1376 FTP ProFTPD Server Username Handling SQL Injection Attempt
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.