ProFTPD TELNET IAC Escape Sequence Remote Buffer Overflow - Nessus

Critical   Plugin ID: 70446

---

This page contains detailed information about the ProFTPD TELNET IAC Escape Sequence Remote Buffer Overflow Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 70446
Name: ProFTPD TELNET IAC Escape Sequence Remote Buffer Overflow
Filename: proftpd_rce.nasl
Vulnerability Published: 2010-11-02
This Plugin Published: 2013-10-15
Last Modification Time: 2018-08-31
Plugin Version: 1.7
Plugin Type: remote
Plugin Family: FTP
Dependencies: ftpserver_detect_type_nd_version.nasl
Required KB Items [?]: ftp/proftpd

Vulnerability Information

---

Severity: Critical
Vulnerability Published: 2010-11-02
Patch Published: 2010-10-29
CVE [?]: CVE-2010-4221
CPE [?]: cpe:/a:proftpd:proftpd

Synopsis

The remote ProFTP daemon is affected by a buffer overflow vulnerability.

Description

The remote ProFTP daemon is susceptible to an overflow condition. The TELNET_IAC escape sequence handling fails to properly sanitize user- supplied input resulting in a stack overflow. With a specially crafted request, an unauthenticated, remote attacker could potentially execute arbitrary code.

Solution

Upgrade to version 1.3.3c or later.

Public Exploits

---

Target Network Port(s): 21
Target Asset(s): Services/ftp
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the ProFTPD TELNET IAC Escape Sequence Remote Buffer Overflow vulnerability:

1. Metasploit: exploit/linux/ftp/proftp_telnet_iac
   [ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)]
2. Metasploit: exploit/freebsd/ftp/proftp_telnet_iac
   [ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)]
3. Exploit-DB: exploits/linux/remote/15449.pl
   [EDB-15449: ProFTPd IAC 1.3.x - Remote Command Execution]
4. Exploit-DB: exploits/linux/remote/16851.rb
   [EDB-16851: ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit)]
5. Exploit-DB: exploits/linux/remote/16878.rb
   [EDB-16878: ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)]
6. GitHub: https://github.com/5l1v3r1/0rion-Framework
   [CVE-2010-4221]
7. GitHub: https://github.com/M31MOTH/cve-2010-4221
   [CVE-2010-4221: This exploit was written to study some concepts, enjoy!]
8. GitHub: https://github.com/ankh2054/python-exploits
   [CVE-2010-4221]
9. GitHub: https://github.com/mudongliang/LinuxFlaw/tree/master/CVE-2010-4221
   [CVE-2010-4221]
10. GitHub: https://github.com/vasanth-tamil/ctf-writeups
    [CVE-2010-4221]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C

CVSS Base Score:	10.0 (High)
Impact Subscore:	10.0
Exploitability Subscore:	10.0
CVSS Temporal Score:	8.3 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	8.3 (High)

CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

CVSS Base Score:	9.8 (Critical)
Impact Subscore:	5.9
Exploitability Subscore:	3.9
CVSS Temporal Score:	9.1 (Critical)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	9.1 (Critical)

Go back to menu.

Plugin Source

---

This is the proftpd_rce.nasl nessus plugin source code. This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(70446);
  script_version("1.7");
  script_cvs_date("Date: 2018/08/31 12:25:01");

  script_cve_id("CVE-2010-4221");
  script_bugtraq_id(44562);
  script_xref(name:"EDB-ID", value:"15449");

  script_name(english:"ProFTPD TELNET IAC Escape Sequence Remote Buffer Overflow");
  script_summary(english:"Attempts a buffer overflow.");

  script_set_attribute(attribute:"synopsis", value:
"The remote ProFTP daemon is affected by a buffer overflow
vulnerability.");
  script_set_attribute(attribute:"description", value:

"The remote ProFTP daemon is susceptible to an overflow condition.  The
TELNET_IAC escape sequence handling fails to properly sanitize user-
supplied input resulting in a stack overflow.  With a specially crafted
request, an unauthenticated, remote attacker could potentially execute
arbitrary code.");
  script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-10-229/");
  script_set_attribute(attribute:"see_also", value:"http://bugs.proftpd.org/show_bug.cgi?id=3521");
  # https://web.archive.org/web/20161014120848/http://www.proftpd.org/docs/NEWS-1.3.3c
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ca7bee7d");
  script_set_attribute(attribute:"solution", value:"Upgrade to version 1.3.3c or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/10/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/15");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:proftpd:proftpd");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"FTP");

  script_copyright(english:"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ftpserver_detect_type_nd_version.nasl");
  script_require_keys("ftp/proftpd");
  script_require_ports("Services/ftp", 21);

  exit(0);
}

include("audit.inc");
include("ftp_func.inc");
include("global_settings.inc");
include("misc_func.inc");

get_kb_item_or_exit("ftp/proftpd");

port = get_ftp_port(default:21);
soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);

ftp_debug(str:"custom banner");
res = ftp_recv_line(socket:soc);
if (isnull(res)) audit(AUDIT_RESP_NOT, port);

# Attempt to crash service with large buffer of TELNET IACs.
buffer = '\x00' + crap(length:0x8000, data:'\xff\x00') + '\r\n';
send(socket:soc, data:buffer);
send(socket:soc, data:'\n');
res = ftp_recv_line(socket:soc);
ret = socket_get_error(soc);
ftp_close(socket:soc);

if (!isnull(res) || ret != ECONNRESET) audit(AUDIT_LISTEN_NOT_VULN, "ProFTPD", port);

security_hole(port);

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/proftpd_rce.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\proftpd_rce.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/proftpd_rce.nasl

Go back to menu.

How to Run

---

Here is how to run the ProFTPD TELNET IAC Escape Sequence Remote Buffer Overflow as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select FTP plugin family.
6. On the right side table select ProFTPD TELNET IAC Escape Sequence Remote Buffer Overflow plugin ID 70446.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl proftpd_rce.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a proftpd_rce.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - proftpd_rce.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state proftpd_rce.nasl -t <IP/HOST>

Go back to menu.

References

---

BID | SecurityFocus Bugtraq ID:

• 44562

See also:

• https://www.tenable.com/plugins/nessus/70446
• http://bugs.proftpd.org/show_bug.cgi?id=3521
• http://www.nessus.org/u?ca7bee7d
• http://www.zerodayinitiative.com/advisories/ZDI-10-229/
• https://vulners.com/nessus/PROFTPD_RCE.NASL

Similar and related Nessus plugins:

• 50551 - Fedora 14 : proftpd-1.3.3c-1.fc14 (2010-17091)
• 50553 - Fedora 13 : proftpd-1.3.3c-1.fc13 (2010-17098)
• 50568 - Fedora 12 : proftpd-1.3.3c-1.fc12 (2010-17220)
• 50700 - FreeBSD : proftpd -- remote code execution vulnerability (533d20e7-f71f-11df-9ae1-000bcdf0a03b)
• 70111 - GLSA-201309-15 : ProFTPD: Multiple vulnerabilities
• 50571 - Mandriva Linux Security Advisory : proftpd (MDVSA-2010:227)
• 50544 - ProFTPD < 1.3.3c Multiple Vulnerabilities
• 52660 - Debian DSA-2191-1 : proftpd-dfsg - several vulnerabilities
• 50436 - Slackware 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / current : proftpd (SSA:2010-305-03)
• 27055 - ProFTPD < 1.3.0a Multiple Vulnerabilities
• 17718 - ProFTPD < 1.3.1rc1 mod_ctrls Module pr_ctrls_recv_request Function Local Overflow
• 106750 - ProFTPD 1.3.1 SQL injection protection bypass
• 50989 - ProFTPD Compromised Source Packages Trojaned Distribution
• 51366 - ProFTPD < 1.3.3d 'mod_sql' Buffer Overflow
• 56956 - ProFTPD < 1.3.3g / 1.3.4 Response Pool Use-After-Free Code Execution
• 84215 - ProFTPD mod_copy Information Disclosure
• 106754 - ProFTPD 1.3.4d / 1.3.5rc3 Denial of Service
• 106755 - ProFTPD < 1.3.5b / 1.3.6x < 1.3.6rc2 weak Diffie-Hellman key
• 106756 - ProFTPD < 1.3.5e / 1.3.6x < 1.3.6rc5 AllowChrootSymlinks bypass
• 77986 - GNU Bash Environment Variable Handling Code Injection via ProFTPD (Shellshock)
• 34265 - ProFTPD Command Truncation Cross-Site Request Forgery
• 132749 - ProFTPD 'mod_copy' Arbitrary File Copy Vulnerability (Remote)
• 35690 - ProFTPD Username Variable Substitution SQL Injection
• 15628 - Ability FTP Server Multiple Command Remote Buffer Overflows
• 40825 - MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check)

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file proftpd_rce.nasl version 1.7. For more plugins, visit the Nessus Plugin Library.

Go back to menu.