The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of ProFTPD

computer vulnerability alert CVE-2017-7418

ProFTPD: privilege escalation via AllowChrootSymlinks

Synthesis of the vulnerability

An attacker can bypass restrictions via AllowChrootSymlinks of ProFTPD, in order to escalate his privileges.
Impacted products: Fedora, openSUSE Leap, Solaris, ProFTPD, Slackware.
Severity: 1/4.
Consequences: privileged access/rights, user access/rights.
Provenance: privileged shell.
Creation date: 05/04/2017.
Identifiers: 4295, bulletinjul2018, CVE-2017-7418, FEDORA-2017-c6f424c3ff, FEDORA-2017-e15e37b689, openSUSE-SU-2017:1035-1, SSA:2017-112-03, VIGILANCE-VUL-22336.

Description of the vulnerability

An attacker can bypass restrictions via AllowChrootSymlinks of ProFTPD, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2016-3125

ProFTPD: usage of DH 1024 bits by mod_tls

Synthesis of the vulnerability

An attacker can potentially decrypt a TLS session of ProFTPD, in order to obtain the content of transferred files.
Impacted products: Fedora, openSUSE, openSUSE Leap, ProFTPD.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet server.
Creation date: 11/03/2016.
Identifiers: 4230, CVE-2016-3125, FEDORA-2016-977d57cf2d, FEDORA-2016-f95d8ea3ad, openSUSE-SU-2016:1334-1, openSUSE-SU-2016:1558-1, VIGILANCE-VUL-19159.

Description of the vulnerability

The ProFTPD product uses the mod_tls module to establish sessions secured by TLS.

The administrator can use the TLSDHParamFile parameter to specify a file containing a Diffie Hellman group of 4096 bits for example. However, ProFTPD always uses its 1024 bits group, which is too weak.

An attacker can therefore potentially decrypt a TLS session of ProFTPD, in order to obtain the content of transferred files.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 18394

ProFTPD: denial of service via SFTP

Synthesis of the vulnerability

An attacker can force the SFTP module of ProFTPD to allocate large amount of resources, in order to trigger a denial of service.
Impacted products: Fedora, ProFTPD.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 30/11/2015.
Identifiers: 4210, FEDORA-2015-7a89e8db70, FEDORA-2015-97055df8a0, VIGILANCE-VUL-18394.

Description of the vulnerability

The ProFTPD product implements a SFTP module, which can be enabled.

However, the mod_sftp module does not limit the memory size allocated to store SFTP extensions.

An attacker can therefore force the SFTP module of ProFTPD to allocate large amount of resources, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 18393

ProFTPD: unreachable memory reading via Zero Length Malloc

Synthesis of the vulnerability

An attacker can force a read at an invalid address with a zero length malloc() by ProFTPD, in order to trigger a denial of service.
Impacted products: ProFTPD.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 30/11/2015.
Identifiers: 4209, VIGILANCE-VUL-18393.

Description of the vulnerability

The ProFTPD product uses the malloc() function to allocate memory.

When a zero length memory area is requested, some malloc implementations (non POSIX) return a static pointer, which should not be accessed. However, ProFTPd tries to read this unreachable memory area, which triggers a fatal error.

An attacker can therefore force a read at an invalid address with a zero length malloc() by ProFTPD, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 17005

ProFTPD: anonymous users are not limited

Synthesis of the vulnerability

An anonymous attacker can use numerous sessions on ProFTPD, in order to bypass MaxClients to trigger a denial of service.
Impacted products: ProFTPD.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 28/05/2015.
Identifiers: 4068, VIGILANCE-VUL-17005.

Description of the vulnerability

The ProFTPD product uses the MaxClients directive to define the maximal number of clients allowed to simultaneously connect on the service.

The have_client_limits() function of the modules/mod_auth.c file always uses the configuration of the connected user. However, when the user is anonymous, the MaxClients directive is ignored.

An anonymous attacker can therefore use numerous sessions on ProFTPD, in order to bypass MaxClients to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-3306

ProFTPD: read-write access via mod_copy

Synthesis of the vulnerability

An attacker can bypass access restrictions via mod_copy of ProFTPD, in order to read or alter files.
Impacted products: Debian, Fedora, openSUSE, ProFTPD, Slackware.
Severity: 3/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 15/04/2015.
Identifiers: 4169, CERTFR-2015-AVI-178, CERTFR-2015-AVI-235, CVE-2015-3306, DSA-3263-1, FEDORA-2015-6401, FEDORA-2015-7086, openSUSE-SU-2015:1031-1, SSA:2015-111-12, VIGILANCE-VUL-16616.

Description of the vulnerability

The ProFTPD product can be configured with the mod_copy module, which adds the following commands:
  SITE CPFR originalFile
  SITE CPTO newFile

However, this module can be used without being authenticated. An attacker can thus bypass access restrictions to data.

An attacker can therefore bypass access restrictions via mod_copy of ProFTPD, in order to read or alter files.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2013-4359

ProFTPD: denial of service via mod_sftp_pam

Synthesis of the vulnerability

When mod_sftp_pam is enabled on ProFTPD, with a keyboard-interactive authentication, an attacker can send a special SSH packet, to force ProFTPD to allocate a large memory area, in order to trigger a denial of service.
Impacted products: Debian, Fedora, openSUSE, ProFTPD.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 11/09/2013.
Identifiers: BID-62328, CERTA-2013-AVI-549, CVE-2013-4359, DSA-2767-1, DSA-27671-1, FEDORA-2013-16798, FEDORA-2013-16810, MDVSA-2013:245, openSUSE-SU-2013:1563-1, openSUSE-SU-2015:1031-1, VIGILANCE-VUL-13412.

Description of the vulnerability

The mod_sftp module of ProFTPD implements the SFTP sub-system of the SSHv2 protocol. Files are thus transfered inside a SSH session.

The SFTPAuthMethods parameter indicates the supported authentication methods:
 - publickey
 - password
 - keyboard-interactive
 - etc.
The "keyboard-interactive" method uses the mod_sftp_pam module, and allows several message exchanges during the authentication phase.

The contrib/mod_sftp/kbdint.c file of ProFTPD implements the "keyboard-interactive" method. The number of exchanges is stored in the "resp_count" variable. However, ProFTPD does not check if this value is large, before allocating the requested memory areas.

When mod_sftp_pam is enabled on ProFTPD, with a keyboard-interactive authentication, an attacker can therefore send a special SSH packet, to force ProFTPD to allocate a large memory area, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2012-6095

ProFTPD: permission change via UserOwner

Synthesis of the vulnerability

When ProFTPD uses the UserOwner directive, a local attacker can create a directory under a symbolic link, in order to force ProFTPD to change permissions of another directory.
Impacted products: Debian, Fedora, Solaris, ProFTPD.
Severity: 2/4.
Consequences: privileged access/rights, data reading, data creation/edition, data deletion.
Provenance: user shell.
Creation date: 08/01/2013.
Identifiers: 3841, BID-57172, CERTA-2013-AVI-006, CERTA-2013-AVI-543, CERTFR-2014-AVI-112, CERTFR-2014-AVI-244, CVE-2012-6095, DSA-2606-1, FEDORA-2013-0437, FEDORA-2013-0468, FEDORA-2013-0483, MDVSA-2013:053, VIGILANCE-VUL-12288.

Description of the vulnerability

The UserOwner directive of ProFTPD indicates the name of the owner of files/directories which will be created.

So, when the FTP client calls the MKD/XMKD command, ProFTPD creates the directory, and then changes its owner. However, between these two operations, a local attacker can replace the parent directory by a symbolic link pointing to another tree.

When ProFTPD uses the UserOwner directive, a local attacker can therefore create a directory under a symbolic link, in order to force ProFTPD to change permissions of another directory.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 11185

FreeBSD: code execution via ftpd or ProFTPD

Synthesis of the vulnerability

When the directory of the ftp user allows FTP clients to create files, an attacker can upload a library, in order to execute code.
Impacted products: FreeBSD, ProFTPD.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 01/12/2011.
Identifiers: BID-51185, FreeBSD-SA-11:07.chroot, VIGILANCE-VUL-11185.

Description of the vulnerability

When the ftp service of FreeBSD allows anonymous sessions, clients are chrooted in the /home/ftp directory.

When a client sends some FTP commands, such as STAT, the ftpd daemon executes the /bin/ls command in order to obtain the result.

In a chrooted environment, if the /home/ftp/etc/nsswitch.conf file indicates to use the "compat" mode (passwd and group), then the execution of /bin/ls loads the /home/ftp/lib/nss_compat.so.1 library. Note: the /bin/ls command is not executed, but its core is directly called, which loads nss_compat to resolve user names (passwd) and groups.

An attacker, who is allowed to create via FTP the /home/ftp/etc/nsswitch.conf and /home/ftp/lib/nss_compat.so.1 files, can then execute code via the STAT command. As the /bin/ls core is called with root privileges (uid root and euid ftp), the code runs with elevated privileges.

When the directory of the ftp user allows FTP clients to create files, an attacker can therefore upload a library, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability 11150

ProFTPD: file deletion via RNFR

Synthesis of the vulnerability

When a FTP site uses the Limit WRITE directive of ProFTPD to forbid file alteration, an attacker can still remove them.
Impacted products: ProFTPD.
Severity: 2/4.
Consequences: data deletion.
Provenance: user account.
Creation date: 10/11/2011.
Identifiers: 3698, VIGILANCE-VUL-11150.

Description of the vulnerability

The Limit WRITE directive of the ProFTPD configuration file forbids the creation, the modification and the deletion of files or directories.

To rename a file, the FTP protocol uses two commands:
 - RNFR originFile
 - RNTO destinationFile

ProFTPD places FTP commands in groups:
 - G_READ, G_DIRS : the user must have the read privilege to execute this command
 - G_WRITE : the user must have the write privilege to execute this command

However, the RNFR command is placed in the G_DIRS group. An attacker can therefore use it even if he does not have the write privilege on the origin file. An attacker can therefore use:
 - RNFR fileLocatedInADirectoryWithLimitWRITE
 - RNTO fileLocatedInAWritableDirectory (such as /incoming)
The origin file is thus moved to the writable directory, where the attacker can freely delete it.

When a FTP site uses the Limit WRITE directive of ProFTPD to forbid file alteration, an attacker can therefore still remove them.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about ProFTPD: