Vulnerabilities > CVE-2015-3306 - Improper Access Control vulnerability in Proftpd 1.3.5

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
proftpd
CWE-284
critical
nessus
exploit available
metasploit

Summary

The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.

Vulnerable Configurations

Part Description Count
Application
Proftpd
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Exploit-Db

  • descriptionProFTPd 1.3.5 (mod_copy) - Remote Command Execution. CVE-2015-3306. Remote exploit for linux platform
    fileexploits/linux/remote/36803.py
    idEDB-ID:36803
    last seen2016-02-04
    modified2015-04-21
    platformlinux
    port
    published2015-04-21
    reporterR-73eN
    sourcehttps://www.exploit-db.com/download/36803/
    titleProFTPd 1.3.5 mod_copy - Remote Command Execution
    typeremote
  • descriptionProFTPd 1.3.5 - File Copy. CVE-2015-3306. Remote exploit for linux platform
    fileexploits/linux/remote/36742.txt
    idEDB-ID:36742
    last seen2016-02-04
    modified2015-04-13
    platformlinux
    port
    published2015-04-13
    reporteranonymous
    sourcehttps://www.exploit-db.com/download/36742/
    titleProFTPd 1.3.5 - File Copy
    typeremote
  • descriptionProFTPD 1.3.5 Mod_Copy Command Execution. CVE-2015-3306. Remote exploit for linux platform
    idEDB-ID:37262
    last seen2016-02-04
    modified2015-06-10
    published2015-06-10
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/37262/
    titleProFTPD 1.3.5 Mod_Copy Command Execution

Metasploit

descriptionThis module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the 'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible.
idMSF:EXPLOIT/UNIX/FTP/PROFTPD_MODCOPY_EXEC
last seen2020-06-02
modified2017-07-24
published2015-04-22
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3306
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
titleProFTPD 1.3.5 Mod_Copy Command Execution

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-410.NASL
    descriptionThe ftp server ProFTPD was updated to 1.3.5a to fix one security issue. The following vulnerability was fixed : - CVE-2015-3306: Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy (boo#927290) In addition, proftpd was updated to 1.3.5a to fix a number of upstream bugs and improve functionality.
    last seen2020-06-05
    modified2015-06-12
    plugin id84134
    published2015-06-12
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84134
    titleopenSUSE Security Update : proftpd (openSUSE-2015-410)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2015-410.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84134);
      script_version("2.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2013-4359", "CVE-2015-3306");
    
      script_name(english:"openSUSE Security Update : proftpd (openSUSE-2015-410)");
      script_summary(english:"Check for the openSUSE-2015-410 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The ftp server ProFTPD was updated to 1.3.5a to fix one security
    issue.
    
    The following vulnerability was fixed :
    
      - CVE-2015-3306: Unauthenticated copying of files via SITE
        CPFR/CPTO allowed by mod_copy (boo#927290)
    
    In addition, proftpd was updated to 1.3.5a to fix a number of upstream
    bugs and improve functionality."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=927290"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected proftpd packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.3.5 Mod_Copy Command Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:proftpd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:proftpd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:proftpd-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:proftpd-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:proftpd-lang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:proftpd-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:proftpd-ldap-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:proftpd-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:proftpd-mysql-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:proftpd-pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:proftpd-pgsql-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:proftpd-radius");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:proftpd-radius-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:proftpd-sqlite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:proftpd-sqlite-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/06/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE13\.1|SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE13.1", reference:"proftpd-1.3.5a-7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"proftpd-debuginfo-1.3.5a-7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"proftpd-debugsource-1.3.5a-7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"proftpd-devel-1.3.5a-7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"proftpd-lang-1.3.5a-7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"proftpd-ldap-1.3.5a-7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"proftpd-ldap-debuginfo-1.3.5a-7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"proftpd-mysql-1.3.5a-7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"proftpd-mysql-debuginfo-1.3.5a-7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"proftpd-pgsql-1.3.5a-7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"proftpd-pgsql-debuginfo-1.3.5a-7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"proftpd-radius-1.3.5a-7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"proftpd-radius-debuginfo-1.3.5a-7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"proftpd-sqlite-1.3.5a-7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"proftpd-sqlite-debuginfo-1.3.5a-7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"proftpd-1.3.5a-3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"proftpd-debuginfo-1.3.5a-3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"proftpd-debugsource-1.3.5a-3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"proftpd-devel-1.3.5a-3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"proftpd-lang-1.3.5a-3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"proftpd-ldap-1.3.5a-3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"proftpd-ldap-debuginfo-1.3.5a-3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"proftpd-mysql-1.3.5a-3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"proftpd-mysql-debuginfo-1.3.5a-3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"proftpd-pgsql-1.3.5a-3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"proftpd-pgsql-debuginfo-1.3.5a-3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"proftpd-radius-1.3.5a-3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"proftpd-radius-debuginfo-1.3.5a-3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"proftpd-sqlite-1.3.5a-3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"proftpd-sqlite-debuginfo-1.3.5a-3.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "proftpd / proftpd-debuginfo / proftpd-debugsource / proftpd-devel / etc");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-7086.NASL
    descriptionVadim Melihow reported a critical issue with proftpd installations that use the mod_copy module
    last seen2020-06-05
    modified2015-05-11
    plugin id83323
    published2015-05-11
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83323
    titleFedora 21 : proftpd-1.3.5-5.fc21 (2015-7086)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2015-7086.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(83323);
      script_version("2.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-3306");
      script_xref(name:"FEDORA", value:"2015-7086");
    
      script_name(english:"Fedora 21 : proftpd-1.3.5-5.fc21 (2015-7086)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Vadim Melihow reported a critical issue with proftpd installations
    that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy
    allows these commands to be used by unauthenticated clients
    
    Upstream report: http://bugs.proftpd.org/show_bug.cgi?id=4169
    
    Note that mod_copy is not loaded/enabled by default in the Fedora
    package.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.proftpd.org/show_bug.cgi?id=4169"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1212386"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157581.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?86aa97d0"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected proftpd package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.3.5 Mod_Copy Command Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:proftpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:21");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/04/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/11");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^21([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 21.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC21", reference:"proftpd-1.3.5-5.fc21")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "proftpd");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-7164.NASL
    descriptionVadim Melihow reported a critical issue with proftpd installations that use the mod_copy module
    last seen2020-06-05
    modified2015-05-04
    plugin id83224
    published2015-05-04
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83224
    titleFedora 22 : proftpd-1.3.5-6.fc22 (2015-7164)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2015-7164.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(83224);
      script_version("2.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-3306");
      script_xref(name:"FEDORA", value:"2015-7164");
    
      script_name(english:"Fedora 22 : proftpd-1.3.5-6.fc22 (2015-7164)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Vadim Melihow reported a critical issue with proftpd installations
    that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy
    allows these commands to be used by unauthenticated clients
    
    Upstream report: http://bugs.proftpd.org/show_bug.cgi?id=4169
    
    Note that mod_copy is not loaded/enabled by default in the Fedora
    package.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.proftpd.org/show_bug.cgi?id=4169"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1212386"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157053.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?25c5c14c"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected proftpd package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.3.5 Mod_Copy Command Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:proftpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/04/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/04");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC22", reference:"proftpd-1.3.5-6.fc22")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "proftpd");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-6401.NASL
    descriptionVadim Melihow reported a critical issue with proftpd installations that use the mod_copy module
    last seen2020-06-05
    modified2015-05-04
    plugin id83198
    published2015-05-04
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83198
    titleFedora 20 : proftpd-1.3.4e-3.fc20 (2015-6401)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2015-6401.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(83198);
      script_version("2.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-3306");
      script_xref(name:"FEDORA", value:"2015-6401");
    
      script_name(english:"Fedora 20 : proftpd-1.3.4e-3.fc20 (2015-6401)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Vadim Melihow reported a critical issue with proftpd installations
    that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy
    allows these commands to be used by *unauthenticated clients*
    
    Upstream report: http://bugs.proftpd.org/show_bug.cgi?id=4169
    
    This update contains a backported fix for this issue.
    
    Note that mod_copy is not loaded/enabled by default in the Fedora
    package.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.proftpd.org/show_bug.cgi?id=4169"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1212386"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157054.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3fb4bf19"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected proftpd package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.3.5 Mod_Copy Command Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:proftpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/04/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/04");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC20", reference:"proftpd-1.3.4e-3.fc20")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "proftpd");
    }
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2015-111-12.NASL
    descriptionNew proftpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id82925
    published2015-04-22
    reporterThis script is Copyright (C) 2015 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82925
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : proftpd (SSA:2015-111-12)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2015-111-12. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(82925);
      script_version("$Revision: 1.4 $");
      script_cvs_date("$Date: 2015/11/16 15:47:34 $");
    
      script_cve_id("CVE-2015-3306");
      script_xref(name:"SSA", value:"2015-111-12");
    
      script_name(english:"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : proftpd (SSA:2015-111-12)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New proftpd packages are available for Slackware 13.0, 13.1, 13.37,
    14.0, 14.1, and -current to fix a security issue."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.503863
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?26b1069e"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected proftpd package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'ProFTPD 1.3.5 Mod_Copy Command Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:proftpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.37");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/04/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/22");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015 Tenable Network Security, Inc.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"13.0", pkgname:"proftpd", pkgver:"1.3.4e", pkgarch:"i486", pkgnum:"1_slack13.0")) flag++;
    if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"proftpd", pkgver:"1.3.4e", pkgarch:"x86_64", pkgnum:"1_slack13.0")) flag++;
    
    if (slackware_check(osver:"13.1", pkgname:"proftpd", pkgver:"1.3.4e", pkgarch:"i486", pkgnum:"1_slack13.1")) flag++;
    if (slackware_check(osver:"13.1", arch:"x86_64", pkgname:"proftpd", pkgver:"1.3.4e", pkgarch:"x86_64", pkgnum:"1_slack13.1")) flag++;
    
    if (slackware_check(osver:"13.37", pkgname:"proftpd", pkgver:"1.3.4e", pkgarch:"i486", pkgnum:"1_slack13.37")) flag++;
    if (slackware_check(osver:"13.37", arch:"x86_64", pkgname:"proftpd", pkgver:"1.3.4e", pkgarch:"x86_64", pkgnum:"1_slack13.37")) flag++;
    
    if (slackware_check(osver:"14.0", pkgname:"proftpd", pkgver:"1.3.4e", pkgarch:"i486", pkgnum:"1_slack14.0")) flag++;
    if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"proftpd", pkgver:"1.3.4e", pkgarch:"x86_64", pkgnum:"1_slack14.0")) flag++;
    
    if (slackware_check(osver:"14.1", pkgname:"proftpd", pkgver:"1.3.4e", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++;
    if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"proftpd", pkgver:"1.3.4e", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"proftpd", pkgver:"1.3.5", pkgarch:"i486", pkgnum:"1")) flag++;
    if (slackware_check(osver:"current", arch:"x86_64", pkgname:"proftpd", pkgver:"1.3.5", pkgarch:"x86_64", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_D0034536FF2411E4A072D050996490D0.NASL
    descriptionProFTPd development team reports : Vadim Melihow reported a critical issue with proftpd installations that use the mod_copy module
    last seen2020-06-01
    modified2020-06-02
    plugin id83752
    published2015-05-21
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83752
    titleFreeBSD : proftpd -- arbitrary code execution vulnerability with chroot (d0034536-ff24-11e4-a072-d050996490d0)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3263.NASL
    descriptionVadim Melihow discovered that in proftpd-dfsg, an FTP server, the mod_copy module allowed unauthenticated users to copy files around on the server, and possibly to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id83546
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83546
    titleDebian DSA-3263-1 : proftpd-dfsg - security update
  • NASL familyFTP
    NASL idPROFTPD_1_3_5_INFO_DISC.NASL
    descriptionThe remote host is running a version of ProFTPD that is affected by an information disclosure vulnerability in the mod_copy module due to the SITE CPFR and SITE CPTO commands being available to unauthenticated clients. An unauthenticated, remote attacker can exploit this flaw to read and write to arbitrary files on any web accessible path on the host.
    last seen2020-03-28
    modified2015-06-16
    plugin id84215
    published2015-06-16
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84215
    titleProFTPD mod_copy Information Disclosure

Packetstorm

Saint

bid74238
descriptionProFTPD mod_copy command execution
idftp_proftp
osvdb120834
titleproftpd_mod_copy
typeremote

The Hacker News

idTHN:AB717FBC8FF7C7C1D194A126C788DF50
last seen2019-07-23
modified2019-07-23
published2019-07-23
reporterThe Hacker News
sourcehttps://thehackernews.com/2019/07/linux-ftp-server-security.html
titleA New 'Arbitrary File Copy' Flaw Affects ProFTPD Powered FTP Servers