ProFTPD Compromised Source Packages Trojaned Distribution

high Nessus Plugin ID 50989

Language:

Synopsis

The FTP server contains a backdoor allowing execution of arbitrary code.

Description

The remote host is using ProFTPD, a free FTP server for Unix and Linux.

The version of ProFTPD installed on the remote host has been compiled with a backdoor in 'src/help.c', apparently related to a compromise of the main distribution server for the ProFTPD project on the 28th of November 2010 around 20:00 UTC and not addressed until the 2nd of December 2010.

By sending a special HELP command, an unauthenticated, remote attacker can gain a shell and execute arbitrary commands with system privileges.

Note that the compromised distribution file also contained code that ran as part of the initial configuration step and sent a special HTTP request to a server in Saudi Arabia. If this install was built from source, you should assume that the author of the backdoor is already aware of it.

Solution

Reinstall the host from known, good sources.

Plugin Details

Severity: High

ID: 50989

File Name: proftpd_1_3_3c_backdoor.nasl

Version: 1.16

Type: remote

Family: FTP

Published: 12/6/2010

Updated: 3/27/2020

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Score from a more in depth analysis done by tenable

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: manual

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:proftpd:proftpd

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/2/2010

Vulnerability Publication Date: 12/2/2010

Exploitable With

Metasploit (ProFTPD-1.3.3c Backdoor Command Execution)

Reference Information

BID: 45150

Detections

Analytics