The security researcher Tobias Mädel discovered a vulnerability in the open-source ProFTPD file transfer protocol (FTP) server that can be exploited to copy files to vulnerable servers and potentially execute arbitrary code.
“Tobias Mädel has identified a vulnerability in ProFTPd’s mod_copy. mod_copy is supplied in the default installation of ProFTPd and is enabled by default in most distributions (e.g. Debian).” states the advisory.
The expert explained that the CVE-2019-12815 is technically very similar to the CVE-2015-3306 in ProFTPD, but the old issue is “much more dangerous.”
ProFTPD is very popular, it is used in many Linux and Unix distros, you can find it in SourceForge, Samba, and Linksys.
The vulnerability, tracked as CVE-2019-12815, resides in the mod_copy module that implements commands for copying files and folders on the same server without the necessity to first transfer the data to the client. This module is enabled by default in most operating systems.
“An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.” states the advisory published by Mitre.
In order to exploit the flaw, the attacker needs to have access to the targeted machine.
Querying the Shodan search engine for “ProFTPd Anonymous” (i.e., servers that allow anonymous access) it is possible to find over 28,000 potentially exposed to hacking. Most of the servers are in the United States (9,443), followed by Germany (2,638) and Japan (2,002). The attacker would have to connect to the server and attempt to issue a command to determine if it is vulnerable.
Both Debian and SUSE published a security advisory for the vulnerability.
Experts pointed out that the flaw could allow remote code execution only if the server has a certain configuration.
“I’ve seen web servers using ProFTPd with PHP and anonymous access. In this scenario RCE is possible,” the expert told SecurityWeek.
Below the timeline for the flaw:
A patch addressing the flaw is already available, it was backported to version 1.3.6, but it has yet to be included in a new release.
As a workaround, admins can disable the mod_copy module in the ProFTPd configuration file.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Linux)
[adrotate banner=”5″]
[adrotate banner=”13″]
A critical vulnerability in the WordPress Automatic plugin is being exploited to inject backdoors and…
As cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement…
Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals…
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…
A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
This website uses cookies.