A new ProFTPD vulnerability exposes servers to hack

A flaw in the open-source ProFTPD file transfer protocol (FTP) server can be exploited to copy files to vulnerable servers and potentially execute arbitrary code.

The security researcher Tobias Mädel discovered a vulnerability in the open-source ProFTPD file transfer protocol (FTP) server that can be exploited to copy files to vulnerable servers and potentially execute arbitrary code.

“Tobias Mädel has identified a vulnerability in ProFTPd’s mod_copy. mod_copy is supplied in the default installation of ProFTPd and is enabled by default in most distributions (e.g. Debian).” states the advisory.

The expert explained that the CVE-2019-12815 is technically very similar to the CVE-2015-3306 in ProFTPD, but the old issue is “much more dangerous.”

ProFTPD is very popular, it is used in many Linux and Unix distros, you can find it in SourceForge, Samba, and Linksys.

The vulnerability, tracked as CVE-2019-12815, resides in the mod_copy module that implements commands for copying files and folders on the same server without the necessity to first transfer the data to the client. This module is enabled by default in most operating systems.

“An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.” states the advisory published by Mitre.

In order to exploit the flaw, the attacker needs to have access to the targeted machine.

Querying the Shodan search engine for “ProFTPd Anonymous” (i.e., servers that allow anonymous access) it is possible to find over 28,000 potentially exposed to hacking. Most of the servers are in the United States (9,443), followed by Germany (2,638) and Japan (2,002). The attacker would have to connect to the server and attempt to issue a command to determine if it is vulnerable.

Both Debian and SUSE published a security advisory for the vulnerability.

Experts pointed out that the flaw could allow remote code execution only if the server has a certain configuration.

“I’ve seen web servers using ProFTPd with PHP and anonymous access. In this scenario RCE is possible,” the expert told SecurityWeek.

Below the timeline for the flaw:

• 28.09.2018 Reported to ProFTPd security@, ProFTPd asking for clarifications
• 12.06.2019 Reported to Debian Security Team, replies by Moritz & Salvatore
• 28.06.2019 Deadline for public disclosure on 28.07.2019 announced
• 17.07.2019 Fix published by ProFTPd

A patch addressing the flaw is already available, it was backported to version 1.3.6, but it has yet to be included in a new release.

As a workaround, admins can disable the mod_copy module in the ProFTPd configuration file.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)

[adrotate banner=”5″]

[adrotate banner=”13″]