The remote ProFTP daemon is susceptible to an overflow condition.  The TELNET_IAC escape sequence handling fails to properly sanitize user- supplied input resulting in a stack overflow.  With a specially crafted request, an unauthenticated, remote attacker could potentially execute arbitrary code.

This is an update to the current upstream maintenance release, which addresses two security issues that can be exploited by malicious users to manipulate certain data and compromise a vulnerable system.

  - A logic error in the code for processing user input     containing the Telnet IAC (Interpret As Command) escape     sequence can be exploited to cause a stack-based buffer     overflow by sending specially crafted input to the FTP     or FTPS service. Successful exploitation may allow     execution of arbitrary code. This has been assigned the     name CVE-2010-4221. More details can be found at     http://bugs.proftpd.org/show_bug.cgi?id=3521

  - An input validation error within the 'mod_site_misc'     module can be exploited to e.g. create and delete     directories, create symlinks, and change the time of     files located outside a writable directory. Only     configurations using 'mod_site_misc', which is not     enabled by default, and where the attacker has write     access to a directory, are vulnerable to this issue,     which has been assigned CVE-2010-3867. More details can     be found at http://bugs.proftpd.org/show_bug.cgi?id=3519

This update also fixes an issue with SQLite authentication and adds a new module 'mod_geoip', which can be used to look up geographical information on connecting clients and use that to set access controls for the server.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is using ProFTPD, a free FTP server for Unix and Linux.

According to its banner, the version of ProFTPD installed on the remote host is earlier than 1.3.3c. Such versions are reportedly affected by the following vulnerabilities :

  - When ProFTPD is compiled with 'mod_site_misc' and a     directory is writable, a user can use 'mod_site_misc'     to create or delete a directory outside the writable     directory, create a symlink located outside the     writable directory, or change the time of a file     located outside the writable directory. (Bug #3519)

  - A stack-based buffer overflow exists in the server's     'pr_netio_telnet_gets()' function, which can be     triggered by when reading user input containing a     TELNET_IAC escape sequence. (Bug #3521)

Note that Nessus did not actually test for the flaws but instead has relied on the version in ProFTPD's banner so this may be a false positive.

This is an update to the current upstream maintenance release, which addresses two security issues that can be exploited by malicious users to manipulate certain data and compromise a vulnerable system.

  - A logic error in the code for processing user input     containing the Telnet IAC (Interpret As Command) escape     sequence can be exploited to cause a stack-based buffer     overflow by sending specially crafted input to the FTP     or FTPS service. Successful exploitation may allow     execution of arbitrary code. This has been assigned the     name CVE-2010-4221. More details can be found at     http://bugs.proftpd.org/show_bug.cgi?id=3521

  - An input validation error within the 'mod_site_misc'     module can be exploited to e.g. create and delete     directories, create symlinks, and change the time of     files located outside a writable directory. Only     configurations using 'mod_site_misc', which is not     enabled by default, and where the attacker has write     access to a directory, are vulnerable to this issue,     which has been assigned CVE-2010-3867. More details can     be found at http://bugs.proftpd.org/show_bug.cgi?id=3519

The update from 1.3.2d to 1.3.3c also includes a large number of non-security bugfixes and a number of additional loadable modules for enhanced functionality :

  - mod_geoip

    - mod_sftp

    - mod_sftp_pam

    - mod_sftp_sql

    - mod_shaper

    - mod_sql_passwd

    - mod_tls_shmcache

There is also a new utility 'ftpscrub' for scrubbing the scoreboard file.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities were discovered and corrected in proftpd :

Multiple directory traversal vulnerabilities in the mod_site_misc module in ProFTPD before 1.3.3c allow remote authenticated users to create directories, delete directories, create symlinks, and modify file timestamps via directory traversal sequences in a (1) SITE MKDIR, (2) SITE RMDIR, (3) SITE SYMLINK, or (4) SITE UTIME command (CVE-2010-3867).

Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server (CVE-2010-4221).

Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=4 90

The updated packages have been patched to correct these issues.

Tippingpoint reports :

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ProFTPD. Authentication is not required to exploit this vulnerability.

The flaw exists within the proftpd server component which listens by default on TCP port 21. When reading user input if a TELNET_IAC escape sequence is encountered the process miscalculates a buffer length counter value allowing a user controlled copy of data to a stack buffer. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the proftpd process.

The remote host is affected by the vulnerability described in GLSA-201309-15 (ProFTPD: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in ProFTPD. Please review       the CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could possibly execute arbitrary code with       the privileges of the process, perform man-in-the-middle attacks to spoof       arbitrary SSL servers, cause a Denial of Service condition, or read and       modify arbitrary files.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Published	Updated	Severity
70446	ProFTPD TELNET IAC Escape Sequence Remote Buffer Overflow	Nessus	FTP	10/15/2013	1/16/2024	critical
50553	Fedora 13 : proftpd-1.3.3c-1.fc13 (2010-17098)	Nessus	Fedora Local Security Checks	11/11/2010	1/11/2021	critical
50544	ProFTPD < 1.3.3c Multiple Vulnerabilities	Nessus	FTP	11/10/2010	3/27/2020	critical
50551	Fedora 14 : proftpd-1.3.3c-1.fc14 (2010-17091)	Nessus	Fedora Local Security Checks	11/11/2010	1/11/2021	critical
50568	Fedora 12 : proftpd-1.3.3c-1.fc12 (2010-17220)	Nessus	Fedora Local Security Checks	11/12/2010	1/11/2021	critical
50571	Mandriva Linux Security Advisory : proftpd (MDVSA-2010:227)	Nessus	Mandriva Local Security Checks	11/12/2010	1/6/2021	critical
50700	FreeBSD : proftpd -- remote code execution vulnerability (533d20e7-f71f-11df-9ae1-000bcdf0a03b)	Nessus	FreeBSD Local Security Checks	11/24/2010	1/6/2021	critical
70111	GLSA-201309-15 : ProFTPD: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	9/25/2013	1/6/2021	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

critical

critical

critical