CVE-2010-3867 : You wanna play with ProFTPD ?

ZDI has discovered, the 2010-09-24, a vulnerability for ProFTPd versions between 1.3.2rc3 and 1.3.3b. This vulnerability, Telnet IAC, allow a remote attacker to execute arbitraty remote code on vulnerable installations of ProFTPD without authentication.

The 2010-11-02, ZDI and ProFTPD teams have release coordinated advisories (ZDI-10-229) and version 1.3.3c fixing the Telnet IAC remote exploit.

As always, security researchers have jump on the advisories to create valid public PoC or exploit.

Rapid7 Team, between jduck, has integrate into Metasploit, the 2010-11-04, a valid exploit targeting :

The 2010-11-07, Kingcope has release on Exploit-DB (EDB-ID-15449) a valid exploit for :

  • ProFTPD 1.3.3a on FreeBSD 8.1 i386
  • ProFTPD 1.3.2a/e/c on FreeBSD 8.0/7.3/7.2 i386
  • ProFTPD 1.3.2e (Plesk binary) on Debian GNU/Linux 5.0
  • ProFTPD 1.3.3 (Plesk binary) on Debian GNU/Linux 5.0
  • ProFTPD 1.3.2e (Plesk binary) on Debian GNU/Linux 4.0
  • ProFTPD 1.3.3a (distro binary) on Debian Linux Squeeze/sid
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 9.3
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 10.0/10.3
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 10.2
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 11.0
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 11.1
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux SLES 10
  • ProFTPD 1.3.2e (Plesk binary) on CentOS 5

What is interesting in the Kingcope exploit, is to see all the “Plesk binaries” impacted by the vulnerability. At least all Plesk versions between 9.5 and 10.0 included are vulnerables. Just play with Shodan and you will get a list of thousands vulnerables servers.

Here under a demonstration video of the both exploits.