Vulnerabilities > CVE-2010-4221 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Proftpd 1.3.2/1.3.3
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 15 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
description ProFTPD IAC Remote Root Exploit. CVE-CVE-2010-4221. Remote exploit for linux platform id EDB-ID:15449 last seen 2016-02-01 modified 2010-11-07 published 2010-11-07 reporter kingcope source https://www.exploit-db.com/download/15449/ title ProFTPD IAC 1.3.x - Remote Root Exploit description ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux). CVE-2010-4221. Remote exploit for linux platform id EDB-ID:16851 last seen 2016-02-02 modified 2011-01-09 published 2011-01-09 reporter metasploit source https://www.exploit-db.com/download/16851/ title ProFTPD 1.3.2rc3 - 1.3.3b - Telnet IAC Buffer Overflow Linux description ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD). CVE-2010-4221. Remote exploit for linux platform id EDB-ID:16878 last seen 2016-02-02 modified 2010-12-02 published 2010-12-02 reporter metasploit source https://www.exploit-db.com/download/16878/ title ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow FreeBSD
Metasploit
description This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code. The Debian Squeeze version of the exploit uses a little ROP stub to indirectly transfer the flow of execution to a pool buffer (the cmd_rec "res" in "pr_cmd_read"). The Ubuntu version uses a ROP stager to mmap RWX memory, copy a small stub to it, and execute the stub. The stub then copies the remainder of the payload in and executes it. NOTE: Most Linux distributions either do not ship a vulnerable version of ProFTPD, or they ship a version compiled with stack smashing protection. Although SSP significantly reduces the probability of a single attempt succeeding, it will not prevent exploitation. Since the daemon forks in a default configuration, the cookie value will remain the same despite some attempts failing. By making repeated requests, an attacker can eventually guess the cookie value and exploit the vulnerability. The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness and could allow exploitation in semi-reasonable amount of time. id MSF:EXPLOIT/LINUX/FTP/PROFTP_TELNET_IAC last seen 2020-05-21 modified 2017-08-29 published 2010-11-05 references https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4221 reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/ftp/proftp_telnet_iac.rb title ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux) description This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code. id MSF:EXPLOIT/FREEBSD/FTP/PROFTP_TELNET_IAC last seen 2020-05-21 modified 2017-07-24 published 2010-11-04 references https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4221 reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/freebsd/ftp/proftp_telnet_iac.rb title ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
Nessus
NASL family FTP NASL id PROFTPD_RCE.NASL description The remote ProFTP daemon is susceptible to an overflow condition. The TELNET_IAC escape sequence handling fails to properly sanitize user- supplied input resulting in a stack overflow. With a specially crafted request, an unauthenticated, remote attacker could potentially execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 70446 published 2013-10-15 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/70446 title ProFTPD TELNET IAC Escape Sequence Remote Buffer Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70446); script_version("1.7"); script_cvs_date("Date: 2018/08/31 12:25:01"); script_cve_id("CVE-2010-4221"); script_bugtraq_id(44562); script_xref(name:"EDB-ID", value:"15449"); script_name(english:"ProFTPD TELNET IAC Escape Sequence Remote Buffer Overflow"); script_summary(english:"Attempts a buffer overflow."); script_set_attribute(attribute:"synopsis", value: "The remote ProFTP daemon is affected by a buffer overflow vulnerability."); script_set_attribute(attribute:"description", value: "The remote ProFTP daemon is susceptible to an overflow condition. The TELNET_IAC escape sequence handling fails to properly sanitize user- supplied input resulting in a stack overflow. With a specially crafted request, an unauthenticated, remote attacker could potentially execute arbitrary code."); script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-10-229/"); script_set_attribute(attribute:"see_also", value:"http://bugs.proftpd.org/show_bug.cgi?id=3521"); # https://web.archive.org/web/20161014120848/http://www.proftpd.org/docs/NEWS-1.3.3c script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ca7bee7d"); script_set_attribute(attribute:"solution", value:"Upgrade to version 1.3.3c or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/02"); script_set_attribute(attribute:"patch_publication_date", value:"2010/10/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:proftpd:proftpd"); script_end_attributes(); script_category(ACT_DESTRUCTIVE_ATTACK); script_family(english:"FTP"); script_copyright(english:"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ftpserver_detect_type_nd_version.nasl"); script_require_keys("ftp/proftpd"); script_require_ports("Services/ftp", 21); exit(0); } include("audit.inc"); include("ftp_func.inc"); include("global_settings.inc"); include("misc_func.inc"); get_kb_item_or_exit("ftp/proftpd"); port = get_ftp_port(default:21); soc = open_sock_tcp(port); if (!soc) audit(AUDIT_SOCK_FAIL, port); ftp_debug(str:"custom banner"); res = ftp_recv_line(socket:soc); if (isnull(res)) audit(AUDIT_RESP_NOT, port); # Attempt to crash service with large buffer of TELNET IACs. buffer = '\x00' + crap(length:0x8000, data:'\xff\x00') + '\r\n'; send(socket:soc, data:buffer); send(socket:soc, data:'\n'); res = ftp_recv_line(socket:soc); ret = socket_get_error(soc); ftp_close(socket:soc); if (!isnull(res) || ret != ECONNRESET) audit(AUDIT_LISTEN_NOT_VULN, "ProFTPD", port); security_hole(port);NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201309-15.NASL description The remote host is affected by the vulnerability described in GLSA-201309-15 (ProFTPD: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in ProFTPD. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker could possibly execute arbitrary code with the privileges of the process, perform man-in-the-middle attacks to spoof arbitrary SSL servers, cause a Denial of Service condition, or read and modify arbitrary files. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 70111 published 2013-09-25 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70111 title GLSA-201309-15 : ProFTPD: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2010-17220.NASL description This is an update to the current upstream maintenance release, which addresses two security issues that can be exploited by malicious users to manipulate certain data and compromise a vulnerable system. - A logic error in the code for processing user input containing the Telnet IAC (Interpret As Command) escape sequence can be exploited to cause a stack-based buffer overflow by sending specially crafted input to the FTP or FTPS service. Successful exploitation may allow execution of arbitrary code. This has been assigned the name CVE-2010-4221. More details can be found at http://bugs.proftpd.org/show_bug.cgi?id=3521 - An input validation error within the last seen 2020-06-01 modified 2020-06-02 plugin id 50568 published 2010-11-12 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50568 title Fedora 12 : proftpd-1.3.3c-1.fc12 (2010-17220) NASL family Fedora Local Security Checks NASL id FEDORA_2010-17098.NASL description This is an update to the current upstream maintenance release, which addresses two security issues that can be exploited by malicious users to manipulate certain data and compromise a vulnerable system. - A logic error in the code for processing user input containing the Telnet IAC (Interpret As Command) escape sequence can be exploited to cause a stack-based buffer overflow by sending specially crafted input to the FTP or FTPS service. Successful exploitation may allow execution of arbitrary code. This has been assigned the name CVE-2010-4221. More details can be found at http://bugs.proftpd.org/show_bug.cgi?id=3521 - An input validation error within the last seen 2020-06-01 modified 2020-06-02 plugin id 50553 published 2010-11-11 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50553 title Fedora 13 : proftpd-1.3.3c-1.fc13 (2010-17098) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_533D20E7F71F11DF9AE1000BCDF0A03B.NASL description Tippingpoint reports : This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ProFTPD. Authentication is not required to exploit this vulnerability. The flaw exists within the proftpd server component which listens by default on TCP port 21. When reading user input if a TELNET_IAC escape sequence is encountered the process miscalculates a buffer length counter value allowing a user controlled copy of data to a stack buffer. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the proftpd process. last seen 2020-06-01 modified 2020-06-02 plugin id 50700 published 2010-11-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50700 title FreeBSD : proftpd -- remote code execution vulnerability (533d20e7-f71f-11df-9ae1-000bcdf0a03b) NASL family Fedora Local Security Checks NASL id FEDORA_2010-17091.NASL description This is an update to the current upstream maintenance release, which addresses two security issues that can be exploited by malicious users to manipulate certain data and compromise a vulnerable system. - A logic error in the code for processing user input containing the Telnet IAC (Interpret As Command) escape sequence can be exploited to cause a stack-based buffer overflow by sending specially crafted input to the FTP or FTPS service. Successful exploitation may allow execution of arbitrary code. This has been assigned the name CVE-2010-4221. More details can be found at http://bugs.proftpd.org/show_bug.cgi?id=3521 - An input validation error within the last seen 2020-06-01 modified 2020-06-02 plugin id 50551 published 2010-11-11 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50551 title Fedora 14 : proftpd-1.3.3c-1.fc14 (2010-17091) NASL family FTP NASL id PROFTPD_1_3_3C.NASL description The remote host is using ProFTPD, a free FTP server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host is earlier than 1.3.3c. Such versions are reportedly affected by the following vulnerabilities : - When ProFTPD is compiled with last seen 2020-03-28 modified 2010-11-10 plugin id 50544 published 2010-11-10 reporter This script is Copyright (C) 2010-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50544 title ProFTPD < 1.3.3c Multiple Vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-227.NASL description Multiple vulnerabilities were discovered and corrected in proftpd : Multiple directory traversal vulnerabilities in the mod_site_misc module in ProFTPD before 1.3.3c allow remote authenticated users to create directories, delete directories, create symlinks, and modify file timestamps via directory traversal sequences in a (1) SITE MKDIR, (2) SITE RMDIR, (3) SITE SYMLINK, or (4) SITE UTIME command (CVE-2010-3867). Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server (CVE-2010-4221). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=4 90 The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 50571 published 2010-11-12 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50571 title Mandriva Linux Security Advisory : proftpd (MDVSA-2010:227)
Saint
| bid | 44562 |
| description | ProFTPD Telnet IAC buffer overflow |
| osvdb | 68985 |
| title | proftpd_telnet_iac |
| type | remote |
References
- http://bugs.proftpd.org/show_bug.cgi?id=3521
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050687.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050703.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050726.html
- http://secunia.com/advisories/42052
- http://secunia.com/advisories/42217
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:227
- http://www.proftpd.org/docs/NEWS-1.3.3c
- http://www.securityfocus.com/bid/44562
- http://www.vupen.com/english/advisories/2010/2941
- http://www.vupen.com/english/advisories/2010/2959
- http://www.vupen.com/english/advisories/2010/2962
- http://www.zerodayinitiative.com/advisories/ZDI-10-229/