Lucene search

K
thnThe Hacker NewsTHN:AB717FBC8FF7C7C1D194A126C788DF50
HistoryJul 23, 2019 - 3:47 p.m.

A New 'Arbitrary File Copy' Flaw Affects ProFTPD Powered FTP Servers

2019-07-2315:47:00
The Hacker News
thehackernews.com
254

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

linux ftp server

A German security researcher has publicly disclosed details of a serious vulnerability in one of the most popular FTP server applications, which is currently being used by more than one million servers worldwide.

The vulnerable software in question is ProFTPD, an open source FTP server used by a large number of popular businesses and websites including SourceForge, Samba and Slackware, and comes pre-installed with many Linux and Unix distributions, like Debian.

Discovered by Tobias MΓ€del, the vulnerability resides in the mod_copy module of the ProFTPD application, a component that allows users to copy files/directories from one place to another on a server without having to transfer the data to the client and back.

According to MΓ€del, an incorrect access control issue in the mod_copy module could be exploited by an authenticated user to unauthorizedly copy any file on a specific location of the vulnerable FTP server where the user is otherwise not allowed to write a file.

In rare circumstances, the flaw may also lead to remote code execution or information disclosure attacks.

John Simpson, a security researcher at Trend Micro, told The Hacker News that to successfully achieve remote code execution on a targeted server, an attacker needs to copy a malicious PHP file to a location where it can be executed.

Therefore, it’s important to note that not every FTP server running vulnerable ProFTPD can be hijacked remotely, since the attacker requires log-in to the respective targeted server, or the server should have anonymous access enabled.

shodan search engine

The vulnerability, assigned as CVE-2019-12815, affects all versions of ProFTPd, including the latest 1.3.6 version which was released in 2017.

Since the mod_copy module comes enabled by default in most operating systems using ProFTPD, the flaw could potentially affect a large number of servers.

According to an advisory, the newly discovered issue is related to a 4-year-old similar vulnerability (CVE-2015-3306) in the mod_copy module that allows remote attackers to read and write to arbitrary files via the site CPFR and site CPTO commands.

MΓ€del reported the vulnerability to ProFTPd project maintainers in September last year, but the team did not take any action to address the issue for more than 9 months.

So, the researcher contacted the Debian Security Team last month, after which the ProFTPD team finally created a patch and just last week backported it to ProFTPD 1.3.6 without releasing a new version of its FTP server.

As a workaround, server administrators can also disable the mod_copy module in the ProFTPd configuration file in order to protect themselves from being a victim of any attack related to this flaw.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%