Debian proftpd root Privilege Escalation

high Nessus Network Monitor Plugin ID 1817

Synopsis

The remote host is vulnerable to multiple attack vectors

Description

The remote FTP server is subject to two flaws:
- There is a configuration error in the postinst script, when the user enters 'yes', when asked if anonymous access should be enabled. The postinst script wrongly leaves the 'run as uid/gid root' configuration option in /etc/proftpd.conf, and adds a 'run as uid/gid nobody' option that has no effect.
There is a bug that comes up when /var is a symlink, and proftpd is restarted. When stopping proftpd, the /var symlink is removed; when it's started again a file named /var is created.

Solution

Upgrade proftpd to proftpd-1.2.0pre10-2.0potato1 or higher.

See Also

http://www.debian.org/security/2001/dsa-032

Plugin Details

Severity: High

ID: 1817

Family: FTP Servers

Published: 8/20/2004

Updated: 3/6/2019

Nessus ID: 11450

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux

Reference Information

CVE: CVE-2001-0456