Vulnerabilities > CVE-2010-4221 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Proftpd 1.3.2/1.3.3

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
proftpd
CWE-119
critical
nessus
exploit available
metasploit

Summary

Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.

Vulnerable Configurations

Part Description Count
Application
Proftpd
15

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

  • descriptionProFTPD IAC Remote Root Exploit. CVE-CVE-2010-4221. Remote exploit for linux platform
    idEDB-ID:15449
    last seen2016-02-01
    modified2010-11-07
    published2010-11-07
    reporterkingcope
    sourcehttps://www.exploit-db.com/download/15449/
    titleProFTPD IAC 1.3.x - Remote Root Exploit
  • descriptionProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux). CVE-2010-4221. Remote exploit for linux platform
    idEDB-ID:16851
    last seen2016-02-02
    modified2011-01-09
    published2011-01-09
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16851/
    titleProFTPD 1.3.2rc3 - 1.3.3b - Telnet IAC Buffer Overflow Linux
  • descriptionProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD). CVE-2010-4221. Remote exploit for linux platform
    idEDB-ID:16878
    last seen2016-02-02
    modified2010-12-02
    published2010-12-02
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16878/
    titleProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow FreeBSD

Metasploit

  • descriptionThis module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code. The Debian Squeeze version of the exploit uses a little ROP stub to indirectly transfer the flow of execution to a pool buffer (the cmd_rec "res" in "pr_cmd_read"). The Ubuntu version uses a ROP stager to mmap RWX memory, copy a small stub to it, and execute the stub. The stub then copies the remainder of the payload in and executes it. NOTE: Most Linux distributions either do not ship a vulnerable version of ProFTPD, or they ship a version compiled with stack smashing protection. Although SSP significantly reduces the probability of a single attempt succeeding, it will not prevent exploitation. Since the daemon forks in a default configuration, the cookie value will remain the same despite some attempts failing. By making repeated requests, an attacker can eventually guess the cookie value and exploit the vulnerability. The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness and could allow exploitation in semi-reasonable amount of time.
    idMSF:EXPLOIT/LINUX/FTP/PROFTP_TELNET_IAC
    last seen2020-05-21
    modified2017-08-29
    published2010-11-05
    referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4221
    reporterRapid7
    sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/ftp/proftp_telnet_iac.rb
    titleProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
  • descriptionThis module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code.
    idMSF:EXPLOIT/FREEBSD/FTP/PROFTP_TELNET_IAC
    last seen2020-05-21
    modified2017-07-24
    published2010-11-04
    referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4221
    reporterRapid7
    sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/freebsd/ftp/proftp_telnet_iac.rb
    titleProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)

Nessus

  • NASL familyFTP
    NASL idPROFTPD_RCE.NASL
    descriptionThe remote ProFTP daemon is susceptible to an overflow condition. The TELNET_IAC escape sequence handling fails to properly sanitize user- supplied input resulting in a stack overflow. With a specially crafted request, an unauthenticated, remote attacker could potentially execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id70446
    published2013-10-15
    reporterThis script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/70446
    titleProFTPD TELNET IAC Escape Sequence Remote Buffer Overflow
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(70446);
      script_version("1.7");
      script_cvs_date("Date: 2018/08/31 12:25:01");
    
      script_cve_id("CVE-2010-4221");
      script_bugtraq_id(44562);
      script_xref(name:"EDB-ID", value:"15449");
    
      script_name(english:"ProFTPD TELNET IAC Escape Sequence Remote Buffer Overflow");
      script_summary(english:"Attempts a buffer overflow.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote ProFTP daemon is affected by a buffer overflow
    vulnerability.");
      script_set_attribute(attribute:"description", value:
    
    "The remote ProFTP daemon is susceptible to an overflow condition.  The
    TELNET_IAC escape sequence handling fails to properly sanitize user-
    supplied input resulting in a stack overflow.  With a specially crafted
    request, an unauthenticated, remote attacker could potentially execute
    arbitrary code.");
      script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-10-229/");
      script_set_attribute(attribute:"see_also", value:"http://bugs.proftpd.org/show_bug.cgi?id=3521");
      # https://web.archive.org/web/20161014120848/http://www.proftpd.org/docs/NEWS-1.3.3c
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ca7bee7d");
      script_set_attribute(attribute:"solution", value:"Upgrade to version 1.3.3c or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/10/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/15");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:proftpd:proftpd");
      script_end_attributes();
    
      script_category(ACT_DESTRUCTIVE_ATTACK);
      script_family(english:"FTP");
    
      script_copyright(english:"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ftpserver_detect_type_nd_version.nasl");
      script_require_keys("ftp/proftpd");
      script_require_ports("Services/ftp", 21);
    
      exit(0);
    }
    
    include("audit.inc");
    include("ftp_func.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("ftp/proftpd");
    
    port = get_ftp_port(default:21);
    soc = open_sock_tcp(port);
    if (!soc) audit(AUDIT_SOCK_FAIL, port);
    
    ftp_debug(str:"custom banner");
    res = ftp_recv_line(socket:soc);
    if (isnull(res)) audit(AUDIT_RESP_NOT, port);
    
    # Attempt to crash service with large buffer of TELNET IACs.
    buffer = '\x00' + crap(length:0x8000, data:'\xff\x00') + '\r\n';
    send(socket:soc, data:buffer);
    send(socket:soc, data:'\n');
    res = ftp_recv_line(socket:soc);
    ret = socket_get_error(soc);
    ftp_close(socket:soc);
    
    if (!isnull(res) || ret != ECONNRESET) audit(AUDIT_LISTEN_NOT_VULN, "ProFTPD", port);
    
    security_hole(port);
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201309-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201309-15 (ProFTPD: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in ProFTPD. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker could possibly execute arbitrary code with the privileges of the process, perform man-in-the-middle attacks to spoof arbitrary SSL servers, cause a Denial of Service condition, or read and modify arbitrary files. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id70111
    published2013-09-25
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/70111
    titleGLSA-201309-15 : ProFTPD: Multiple vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-17220.NASL
    descriptionThis is an update to the current upstream maintenance release, which addresses two security issues that can be exploited by malicious users to manipulate certain data and compromise a vulnerable system. - A logic error in the code for processing user input containing the Telnet IAC (Interpret As Command) escape sequence can be exploited to cause a stack-based buffer overflow by sending specially crafted input to the FTP or FTPS service. Successful exploitation may allow execution of arbitrary code. This has been assigned the name CVE-2010-4221. More details can be found at http://bugs.proftpd.org/show_bug.cgi?id=3521 - An input validation error within the
    last seen2020-06-01
    modified2020-06-02
    plugin id50568
    published2010-11-12
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50568
    titleFedora 12 : proftpd-1.3.3c-1.fc12 (2010-17220)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-17098.NASL
    descriptionThis is an update to the current upstream maintenance release, which addresses two security issues that can be exploited by malicious users to manipulate certain data and compromise a vulnerable system. - A logic error in the code for processing user input containing the Telnet IAC (Interpret As Command) escape sequence can be exploited to cause a stack-based buffer overflow by sending specially crafted input to the FTP or FTPS service. Successful exploitation may allow execution of arbitrary code. This has been assigned the name CVE-2010-4221. More details can be found at http://bugs.proftpd.org/show_bug.cgi?id=3521 - An input validation error within the
    last seen2020-06-01
    modified2020-06-02
    plugin id50553
    published2010-11-11
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50553
    titleFedora 13 : proftpd-1.3.3c-1.fc13 (2010-17098)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_533D20E7F71F11DF9AE1000BCDF0A03B.NASL
    descriptionTippingpoint reports : This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ProFTPD. Authentication is not required to exploit this vulnerability. The flaw exists within the proftpd server component which listens by default on TCP port 21. When reading user input if a TELNET_IAC escape sequence is encountered the process miscalculates a buffer length counter value allowing a user controlled copy of data to a stack buffer. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the proftpd process.
    last seen2020-06-01
    modified2020-06-02
    plugin id50700
    published2010-11-24
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50700
    titleFreeBSD : proftpd -- remote code execution vulnerability (533d20e7-f71f-11df-9ae1-000bcdf0a03b)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-17091.NASL
    descriptionThis is an update to the current upstream maintenance release, which addresses two security issues that can be exploited by malicious users to manipulate certain data and compromise a vulnerable system. - A logic error in the code for processing user input containing the Telnet IAC (Interpret As Command) escape sequence can be exploited to cause a stack-based buffer overflow by sending specially crafted input to the FTP or FTPS service. Successful exploitation may allow execution of arbitrary code. This has been assigned the name CVE-2010-4221. More details can be found at http://bugs.proftpd.org/show_bug.cgi?id=3521 - An input validation error within the
    last seen2020-06-01
    modified2020-06-02
    plugin id50551
    published2010-11-11
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50551
    titleFedora 14 : proftpd-1.3.3c-1.fc14 (2010-17091)
  • NASL familyFTP
    NASL idPROFTPD_1_3_3C.NASL
    descriptionThe remote host is using ProFTPD, a free FTP server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host is earlier than 1.3.3c. Such versions are reportedly affected by the following vulnerabilities : - When ProFTPD is compiled with
    last seen2020-03-28
    modified2010-11-10
    plugin id50544
    published2010-11-10
    reporterThis script is Copyright (C) 2010-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50544
    titleProFTPD < 1.3.3c Multiple Vulnerabilities
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2010-227.NASL
    descriptionMultiple vulnerabilities were discovered and corrected in proftpd : Multiple directory traversal vulnerabilities in the mod_site_misc module in ProFTPD before 1.3.3c allow remote authenticated users to create directories, delete directories, create symlinks, and modify file timestamps via directory traversal sequences in a (1) SITE MKDIR, (2) SITE RMDIR, (3) SITE SYMLINK, or (4) SITE UTIME command (CVE-2010-3867). Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server (CVE-2010-4221). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=4 90 The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id50571
    published2010-11-12
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50571
    titleMandriva Linux Security Advisory : proftpd (MDVSA-2010:227)

Saint

bid44562
descriptionProFTPD Telnet IAC buffer overflow
osvdb68985
titleproftpd_telnet_iac
typeremote