ProFTPD SQL Injection Vulnerability

March 3, 2009

The ProFTPD server is a highly configurable GPL-licensed FTP server software mainly used in Linux distributions. In addition to using the host system for authentication, ProFTPD can authenticate users using a SQL database or LDAP.

When ProFTPD is configured to use a SQL database for authentication, it escapes and expands SQL statements before passing the query onto the database. After a SQL statement is escaped, ProFTPD performs various string substitutions on the SQL statement. These substitutions are performed using the function resolve_short_tag. resolves_short_tag transforms text, which it interprets as an internal ProFTPD tag, into a value. Tags are specified as strings with % as the first character. Since the function resolve_short_tag transforms SQL statements after they are escaped, ProFTPD is vulnerable to a SQL injection attack.

A remote attacker can exploit this vulnerability by specifying a "%'" (percent + single quote) string in the username following arbitrary SQL to be executed. For example, an attacker may specify the following string as the username:

root %') and 1=2 union SELECT 1,1,uid,gid,homedir,shell from ftpuser --

ProFTPD would perform its escaping and transformation processes, causing the following SQL statement to be sent to the database:

SELECT userid, passwd, uid, gid, homedir, shell FROM ftpuser WHERE (userid='root {UNKNOWN TAG}') and 1=2 union SELECT 1,1,uid,gid,homedir,shell from ftpuser -- ') LIMIT 1

A successful attack can allow the attacker to masquerade as an authenticated user and gain unauthorized access to the FTP server and the underlying database.

The vulnerability has been assigned as CVE-2009-0542.

SonicWALL has released the following IPS signature that will detect and prevent potential attacks leveraging this vulnerability:

  • 1376 FTP ProFTPD Server Username Handling SQL Injection Attempt