Plesk : ProFTPD Remote Code Execution Vulnerability and Exploit

A flaw in the popular ProFTPD FTP server potentially allows unauthenticated attackers to compromise a server. The problem is caused by a buffer overflow in the pr_netio_telnet_gets() function for evaluating TELNET IAC sequences.

ProFTPD bug report:

Parallels Plesk Panel 9.x, 9.5x and 10 include this vulnerability. Parallels will issue Micro Updates (hotfixes) for 9.5.2 and 9.5.3 no later than 12:00 GMT (noon) on Thursday November 11, (7:00am EST in the US) to fix this. The patch for Parallels Plesk Panel 10.01 will be released at 17:00 GMT on Thursday November 11, (12:00pm EST in the US). Patches for Plesk 9.0, 9.22, and 9.3 will be posted by 12 noon GMT on Friday November 12, (7am EST in the US). Parallels updates on this will be coming soon.


Updating to ProFTPD version 1.3.3c or disabling FTP services is the only current solution to this vulnerability.
ProFTPD is capable of processing TELNET IAC sequences on port 21; the sequences enable or disable certain options not supported by the Telnet or FTP protocol itself. The buffer overflow allows attackers to write arbitrary code to the application’s stack and launch it. Updating to version 1.3.3c of ProFTPD solves the problem.
The update also fixes a directory traversal vulnerability which can only be exploited if the “mod_site_misc” module is loaded. This flaw could allow attackers with write privileges to leave their permitted path and delete directories or create symbolic links outside of the path. The module is not loaded or compiled by default.
A remote root exploit is available:[Full-disclosure]ProFTPD IAC Remote Root Exploit.

A Proftpd update for Plesk has been provided by Atomic Rocket Turtle. To apply the update, execute the commands below.

# wget -O - |sh
# yum upgrade psa-proftpd

CPU/MySQL Usage is blank in WHM

“CPU/Memory/MySQL Usage” page blank

This is a common error across all cPanel releases. The most likely cause of this issue is related to the utility that actually generates the statistics. When cPanel is installed, several entries are added into crontab for the root user. The following is a list of the default crontab entries from a freshly installed cPanel server:

root@testbox [/etc/cron.hourly]# crontab -l | grep dcpumon

*/5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1

root@testbox [/etc/cron.hourly]#

The dcpumon is the daemon that actually compiles the logs for the Usage page. If your Usage page is blank, it is normally because this utility is not running on the schedule that it is supposed to. The above crontab entry for dcpumon is set to run every five minutes, every hour.

The most common resolution for this issue is to restart crond:

root@testbox [~]# /etc/init.d/crond restart
Stopping crond:[OK]
Starting crond:[OK]
root@testbox [~]#

The restart of cron should force all crontab entries to be processed normally again. If after this you are still not seeing statistics on the Usage page, you should force a cpanel update from command line with “/scripts/upcp –force”. This should download and install a new copy of the dcpumon binary.