Vulnerabilities > CVE-2012-6095 - Race Condition vulnerability in Proftpd
Attack vector
LOCAL Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD commands.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-053.NASL description A vulnerability has been found and corrected in proftpd : ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD commands (CVE-2012-6095). The updated packages have been patched to correct thies issue. last seen 2020-06-01 modified 2020-06-02 plugin id 66067 published 2013-04-20 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66067 title Mandriva Linux Security Advisory : proftpd (MDVSA-2013:053) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2013:053. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(66067); script_version("1.5"); script_cvs_date("Date: 2019/08/02 13:32:55"); script_cve_id("CVE-2012-6095"); script_bugtraq_id(57172); script_xref(name:"MDVSA", value:"2013:053"); script_name(english:"Mandriva Linux Security Advisory : proftpd (MDVSA-2013:053)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability has been found and corrected in proftpd : ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD commands (CVE-2012-6095). The updated packages have been patched to correct thies issue." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_autohost"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ban"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_case"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ctrls_admin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_gss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ifsession"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_load"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_file"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_radius"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_sql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_radius"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_ratio"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_rewrite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_shaper"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_site_misc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql_mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql_passwd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_sql_postgres"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_time"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_tls"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_vroot"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_wrap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_wrap_file"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd-mod_wrap_sql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1"); script_set_attribute(attribute:"patch_publication_date", value:"2013/04/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/04/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-devel-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_autohost-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_ban-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_case-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_ctrls_admin-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_gss-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_ifsession-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_ldap-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_load-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_quotatab-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_quotatab_file-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_quotatab_ldap-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_quotatab_radius-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_quotatab_sql-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_radius-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_ratio-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_rewrite-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_sftp-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_shaper-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_site_misc-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_sql-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_sql_mysql-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_sql_passwd-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_sql_postgres-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_time-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_tls-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_vroot-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_wrap-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_wrap_file-1.3.3g-2.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"proftpd-mod_wrap_sql-1.3.3g-2.1.mbs1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2013-0437.NASL description Jann Horn reported that there is a possible race condition in the handling of the MKD/XMKD FTP commands, when the UserOwner directive is involved, and the attacker is on the same physical machine as a running proftpd. This race applies to mod_sftp and the handling of the MKDIR SFTP request as well. Note that using the DefaultRoot directive to restrict sessions mitigates this attack, since the symlinks created by the local attacker will point outside of the chroot(2) area within the FTP session, and thus the ownership change will fail. The default configuration in Fedora applies the DefaultRoot directive to all users except last seen 2020-03-17 modified 2013-01-31 plugin id 64365 published 2013-01-31 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64365 title Fedora 18 : proftpd-1.3.4b-5.fc18 (2013-0437) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201309-15.NASL description The remote host is affected by the vulnerability described in GLSA-201309-15 (ProFTPD: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in ProFTPD. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker could possibly execute arbitrary code with the privileges of the process, perform man-in-the-middle attacks to spoof arbitrary SSL servers, cause a Denial of Service condition, or read and modify arbitrary files. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 70111 published 2013-09-25 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70111 title GLSA-201309-15 : ProFTPD: Multiple vulnerabilities NASL family Solaris Local Security Checks NASL id SOLARIS11_PROFTPD_20130924.NASL description The remote Solaris system is missing necessary patches to address security updates : - ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD commands. (CVE-2012-6095) last seen 2020-06-01 modified 2020-06-02 plugin id 80743 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80743 title Oracle Solaris Third-Party Patch Update : proftpd (cve_2012_6095_race_conditions) NASL family Fedora Local Security Checks NASL id FEDORA_2013-0468.NASL description Jann Horn reported that there is a possible race condition in the handling of the MKD/XMKD FTP commands, when the UserOwner directive is involved, and the attacker is on the same physical machine as a running proftpd. This race applies to mod_sftp and the handling of the MKDIR SFTP request as well. Note that using the DefaultRoot directive to restrict sessions mitigates this attack, since the symlinks created by the local attacker will point outside of the chroot(2) area within the FTP session, and thus the ownership change will fail. The default configuration in Fedora applies the DefaultRoot directive to all users except last seen 2020-03-17 modified 2013-01-31 plugin id 64366 published 2013-01-31 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64366 title Fedora 16 : proftpd-1.3.4b-5.fc16 (2013-0468) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2606.NASL description It has been discovered that in ProFTPd, an FTP server, an attacker on the same physical host as the server may be able to perform a symlink attack allowing to elevate privileges in some configurations. last seen 2020-03-17 modified 2013-01-14 plugin id 63512 published 2013-01-14 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63512 title Debian DSA-2606-1 : proftpd-dfsg - symlink race NASL family FTP NASL id PROFTPD_MKD_XMKD_FILE_OVERWRITE.NASL description The remote host is using ProFTPD, a free FTP server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host earlier than 1.3.4c. As such, it is potentially affected by a race condition error that does not securely create temporary files related to symlinks and newly created directories. A local, attacker could leverage this issue to overwrite arbitrary files and elevate privileges. Note that Nessus did not actually test for the flaw but has instead relied on the version in ProFTPD last seen 2020-03-28 modified 2013-06-24 plugin id 66970 published 2013-06-24 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66970 title ProFTPD FTP Command Handling Symlink Arbitrary File Overwrite NASL family Fedora Local Security Checks NASL id FEDORA_2013-0483.NASL description Jann Horn reported that there is a possible race condition in the handling of the MKD/XMKD FTP commands, when the UserOwner directive is involved, and the attacker is on the same physical machine as a running proftpd. This race applies to mod_sftp and the handling of the MKDIR SFTP request as well. Note that using the DefaultRoot directive to restrict sessions mitigates this attack, since the symlinks created by the local attacker will point outside of the chroot(2) area within the FTP session, and thus the ownership change will fail. The default configuration in Fedora applies the DefaultRoot directive to all users except last seen 2020-03-17 modified 2013-01-31 plugin id 64367 published 2013-01-31 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64367 title Fedora 17 : proftpd-1.3.4b-5.fc17 (2013-0483)