Vulnerabilities > CVE-2011-1575 - Resource Management Errors vulnerability in Pureftpd Pure-Ftpd
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted FTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_11_4_PURE-FTPD-110412.NASL description Pure-ftpd is vulnerable to the STARTTLS command injection issue similar to CVE-2011-0411 of postfix. CVE-2011-1575 has been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 76000 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76000 title openSUSE Security Update : pure-ftpd (openSUSE-SU-2011:0483-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update pure-ftpd-4353. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(76000); script_version("1.4"); script_cvs_date("Date: 2019/10/25 13:36:42"); script_cve_id("CVE-2011-0411", "CVE-2011-1575"); script_name(english:"openSUSE Security Update : pure-ftpd (openSUSE-SU-2011:0483-1)"); script_summary(english:"Check for the pure-ftpd-4353 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Pure-ftpd is vulnerable to the STARTTLS command injection issue similar to CVE-2011-0411 of postfix. CVE-2011-1575 has been assigned to this issue." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=686590" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2011-05/msg00029.html" ); script_set_attribute( attribute:"solution", value:"Update the affected pure-ftpd packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pure-ftpd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pure-ftpd-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pure-ftpd-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.4"); script_set_attribute(attribute:"patch_publication_date", value:"2011/04/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.4)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.4", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.4", reference:"pure-ftpd-1.0.29-8.9.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"pure-ftpd-debuginfo-1.0.29-8.9.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"pure-ftpd-debugsource-1.0.29-8.9.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pure-ftpd / pure-ftpd-debuginfo / pure-ftpd-debugsource"); }NASL family SuSE Local Security Checks NASL id SUSE_PURE-FTPD-7466.NASL description Pure-ftpd is vulnerable to the STARTTLS command injection issue similar to CVE-2011-0411 of postfix. CVE-2011-1575 has been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 54830 published 2011-05-26 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54830 title SuSE 10 Security Update : pure-ftpd (ZYPP Patch Number 7466) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(54830); script_version ("1.11"); script_cvs_date("Date: 2019/10/25 13:36:43"); script_cve_id("CVE-2011-0411", "CVE-2011-1575"); script_name(english:"SuSE 10 Security Update : pure-ftpd (ZYPP Patch Number 7466)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Pure-ftpd is vulnerable to the STARTTLS command injection issue similar to CVE-2011-0411 of postfix. CVE-2011-1575 has been assigned to this issue." ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-0411.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-1575.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 7466."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2011/04/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLES10", sp:3, reference:"pure-ftpd-1.0.22-0.20.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");NASL family FTP NASL id FTP_STARTTLS_PLAINTEXT_INJECTION.NASL description The remote FTP server contains a software flaw in its AUTH TLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. Successful exploitation could permit an attacker to modify files on the FTP server and reveal a user last seen 2020-06-01 modified 2020-06-02 plugin id 53847 published 2011-05-09 reporter This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53847 title FTP Service AUTH TLS Plaintext Command Injection code # # (C) Tenable Network Security, Inc. # if (NASL_LEVEL < 4000) exit(0); include("compat.inc"); if (description) { script_id(53847); script_version("1.14"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-2011-1575"); script_bugtraq_id(46767); script_xref(name:"CERT", value:"555316"); script_name(english:"FTP Service AUTH TLS Plaintext Command Injection"); script_summary(english:"Tries to inject a command along with AUTH TLS"); script_set_attribute( attribute:"synopsis", value: "The remote FTP server allows plaintext command injection while negotiating an encrypted communications channel." ); script_set_attribute( attribute:"description", value: "The remote FTP server contains a software flaw in its AUTH TLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. Successful exploitation could permit an attacker to modify files on the FTP server and reveal a user's credentials." ); script_set_attribute( attribute:"see_also", value:"https://tools.ietf.org/html/rfc4217" ); script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/archive/1/516901/30/0/threaded" ); script_set_attribute( attribute:"solution", value:"Contact the vendor to see if an update is available." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2011-1575"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"FTP"); script_copyright(english: "This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ftp_starttls.nasl"); script_require_ports("Services/ftp", 21); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("ftp_func.inc"); port = get_service(svc:"ftp", default:21, exit_on_fail:TRUE); if (!get_kb_item("ftp/"+port+"/starttls")) { if (get_kb_item("ftp/"+port+"/starttls_tested")) exit(0, "The FTP server on port "+port+" does not support AUTH TLS."); encaps = get_kb_item("Transports/TCP/"+port); if (encaps && encaps > ENCAPS_IP) exit(0, "The FTP server on port "+port+" always encrypts traffic."); } soc = open_sock_tcp(port); if (!soc) exit(1, "Can't open socket on port "+port+"."); ftp_debug(str:"custom"); s = ftp_recv_line(socket:soc); if (!strlen(s)) { close(soc); exit(1, "Failed to receive a banner from the FTP server on port "+port+"."); } # Send the exploit. c = 'AUTH TLS\r\nFEAT\r\n'; send(socket:soc, data:c); s1 = ftp_recv_line(socket:soc); if (strlen(s1)) s1 = chomp(s1); if (strlen(s1) < 4) { ftp_close(socket:soc); if (strlen(s1)) errmsg = "The FTP server on port "+port+" sent an invalid response (" + s1 + ")."; else errmsg = "The FTP server on port "+port+" failed to respond to a 'AUTH TLS' command."; exit(1, errmsg); } if (substr(s1, 0, 2) != "234") exit(1, "The FTP server on port "+port+" did not accept the command (" + s1 + ")."); # nb: finally, we need to make sure the second command worked. soc = socket_negotiate_ssl(socket:soc, transport:ENCAPS_TLSv1); if (!soc) exit(1, "Failed to negotiate a TLS connection with the FTP server on port "+port+"."); s2 = ftp_recv_line(socket:soc); if (strlen(s2)) s2 = chomp(s2); ftp_close(socket:soc); if (strlen(s2) == 0) exit(0, "The FTP server on port "+port+" does not appear to be affected."); else { if (strlen(s2) >= 3 && substr(s2, 0, 2) == "211") { if (report_verbosity > 0) { report = '\n' + 'Nessus sent the following two commands in a single packet :' + '\n' + '\n' + ' ' + str_replace(find:'\r\n', replace:'\\r\\n', string:c) + '\n' + '\n' + 'And the server sent the following two responses :' + '\n' + '\n' + ' ' + s1 + '\n' + ' ' + s2 + '\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else exit(0, "The FTP server on port "+port+" does not appear to be affected as it responded '" + s2 + "'."); }NASL family SuSE Local Security Checks NASL id SUSE_11_3_PURE-FTPD-110412.NASL description Pure-ftpd is vulnerable to the STARTTLS command injection issue similar to CVE-2011-0411 of postfix. CVE-2011-1575 has been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 75716 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75716 title openSUSE Security Update : pure-ftpd (openSUSE-SU-2011:0483-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update pure-ftpd-4353. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(75716); script_version("1.4"); script_cvs_date("Date: 2019/10/25 13:36:41"); script_cve_id("CVE-2011-0411", "CVE-2011-1575"); script_name(english:"openSUSE Security Update : pure-ftpd (openSUSE-SU-2011:0483-1)"); script_summary(english:"Check for the pure-ftpd-4353 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Pure-ftpd is vulnerable to the STARTTLS command injection issue similar to CVE-2011-0411 of postfix. CVE-2011-1575 has been assigned to this issue." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=686590" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2011-05/msg00029.html" ); script_set_attribute( attribute:"solution", value:"Update the affected pure-ftpd package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pure-ftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.3"); script_set_attribute(attribute:"patch_publication_date", value:"2011/04/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.3", reference:"pure-ftpd-1.0.29-2.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pure-ftpd"); }NASL family SuSE Local Security Checks NASL id SUSE_11_PURE-FTPD-110412.NASL description Pure-ftpd is vulnerable to the STARTTLS command injection issue similar to CVE-2011-0411 of postfix. CVE-2011-1575 has been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 54828 published 2011-05-26 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54828 title SuSE 11.1 Security Update : pure-ftpd (SAT Patch Number 4360) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(54828); script_version("1.11"); script_cvs_date("Date: 2019/10/25 13:36:43"); script_cve_id("CVE-2011-0411", "CVE-2011-1575"); script_name(english:"SuSE 11.1 Security Update : pure-ftpd (SAT Patch Number 4360)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing a security update." ); script_set_attribute( attribute:"description", value: "Pure-ftpd is vulnerable to the STARTTLS command injection issue similar to CVE-2011-0411 of postfix. CVE-2011-1575 has been assigned to this issue." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=686590" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-0411.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-1575.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 4360."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:pure-ftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2011/04/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (isnull(pl) || int(pl) != 1) audit(AUDIT_OS_NOT, "SuSE 11.1"); flag = 0; if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"pure-ftpd-1.0.22-3.5.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"pure-ftpd-1.0.22-3.5.1")) flag++; if (rpm_check(release:"SLES11", sp:1, reference:"pure-ftpd-1.0.22-3.5.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201110-25.NASL description The remote host is affected by the vulnerability described in GLSA-201110-25 (Pure-FTPd: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Pure-FTPd. Please review the CVE identifiers referenced below for details. Impact : Remote unauthenticated attackers may be able to inject FTP commands or cause a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 56659 published 2011-10-27 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56659 title GLSA-201110-25 : Pure-FTPd: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201110-25. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(56659); script_version("1.7"); script_cvs_date("Date: 2018/07/11 17:09:26"); script_cve_id("CVE-2011-0418", "CVE-2011-1575"); script_bugtraq_id(46767, 47671); script_xref(name:"GLSA", value:"201110-25"); script_name(english:"GLSA-201110-25 : Pure-FTPd: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201110-25 (Pure-FTPd: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Pure-FTPd. Please review the CVE identifiers referenced below for details. Impact : Remote unauthenticated attackers may be able to inject FTP commands or cause a Denial of Service. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201110-25" ); script_set_attribute( attribute:"solution", value: "All pure-ftpd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-ftp/pure-ftpd-1.0.32' NOTE: This is a legacy GLSA. Updates for all affected architectures are available since May 14, 2011. It is likely that your system is already no longer affected by this issue." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:pure-ftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2011/10/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-ftp/pure-ftpd", unaffected:make_list("ge 1.0.32"), vulnerable:make_list("lt 1.0.32"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Pure-FTPd"); }NASL family SuSE Local Security Checks NASL id SUSE_PURE-FTPD-7480.NASL description Pure-ftpd is vulnerable to the STARTTLS command injection issue similar to CVE-2011-0411 of postfix. CVE-2011-1575 has been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 57246 published 2011-12-13 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57246 title SuSE 10 Security Update : pure-ftpd (ZYPP Patch Number 7480) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(57246); script_version ("1.9"); script_cvs_date("Date: 2019/10/25 13:36:43"); script_cve_id("CVE-2011-0411", "CVE-2011-1575"); script_name(english:"SuSE 10 Security Update : pure-ftpd (ZYPP Patch Number 7480)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Pure-ftpd is vulnerable to the STARTTLS command injection issue similar to CVE-2011-0411 of postfix. CVE-2011-1575 has been assigned to this issue." ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-0411.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-1575.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 7480."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2011/04/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:4, reference:"pure-ftpd-1.0.22-0.20.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"pure-ftpd-1.0.22-0.20.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE_11_2_PURE-FTPD-110412.NASL description Pure-ftpd is vulnerable to the STARTTLS command injection issue similar to CVE-2011-0411 of postfix. CVE-2011-1575 has been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 53888 published 2011-05-13 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53888 title openSUSE Security Update : pure-ftpd (openSUSE-SU-2011:0483-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update pure-ftpd-4353. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(53888); script_version("1.7"); script_cvs_date("Date: 2019/10/25 13:36:41"); script_cve_id("CVE-2011-0411", "CVE-2011-1575"); script_name(english:"openSUSE Security Update : pure-ftpd (openSUSE-SU-2011:0483-1)"); script_summary(english:"Check for the pure-ftpd-4353 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Pure-ftpd is vulnerable to the STARTTLS command injection issue similar to CVE-2011-0411 of postfix. CVE-2011-1575 has been assigned to this issue." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=686590" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2011-05/msg00029.html" ); script_set_attribute( attribute:"solution", value:"Update the affected pure-ftpd package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pure-ftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.2"); script_set_attribute(attribute:"patch_publication_date", value:"2011/04/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.2", reference:"pure-ftpd-1.0.22-3.4.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pure-ftpd"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_1495F931852211E0A1C100215C6A37BB.NASL description Pure-FTPd development team reports : Support for braces expansion in directory listings has been disabled -- Cf. CVE-2011-0418. Fix a STARTTLS flaw similar to Postfix last seen 2020-06-01 modified 2020-06-02 plugin id 54620 published 2011-05-24 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/54620 title FreeBSD : pureftpd -- multiple vulnerabilities (1495f931-8522-11e0-a1c1-00215c6a37bb) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(54620); script_version("1.12"); script_cvs_date("Date: 2019/08/02 13:32:40"); script_cve_id("CVE-2011-0418", "CVE-2011-1575"); script_bugtraq_id(46767); script_name(english:"FreeBSD : pureftpd -- multiple vulnerabilities (1495f931-8522-11e0-a1c1-00215c6a37bb)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Pure-FTPd development team reports : Support for braces expansion in directory listings has been disabled -- Cf. CVE-2011-0418. Fix a STARTTLS flaw similar to Postfix's CVE-2011-0411. If you're using TLS, upgrading is recommended." ); # https://vuxml.freebsd.org/freebsd/1495f931-8522-11e0-a1c1-00215c6a37bb.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5be3971b" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:pure-ftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/04/01"); script_set_attribute(attribute:"patch_publication_date", value:"2011/05/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"pure-ftpd<1.0.32")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://archives.pureftpd.org/archives.cgi?100:mss:3906:201103:cpeojfkblajnpinkeadd
- http://archives.pureftpd.org/archives.cgi?100:mss:3910:201103:cpeojfkblajnpinkeadd
- http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html
- http://lists.opensuse.org/opensuse-updates/2011-05/msg00029.html
- http://openwall.com/lists/oss-security/2011/04/11/14
- http://openwall.com/lists/oss-security/2011/04/11/3
- http://openwall.com/lists/oss-security/2011/04/11/7
- http://openwall.com/lists/oss-security/2011/04/11/8
- http://secunia.com/advisories/43988
- http://secunia.com/advisories/44548
- http://www.pureftpd.org/project/pure-ftpd/news
- https://bugzilla.novell.com/show_bug.cgi?id=686590
- https://bugzilla.redhat.com/show_bug.cgi?id=683221
- https://github.com/jedisct1/pure-ftpd/commit/65c4d4ad331e94661de763e9b5304d28698999c4