A security hole affecting the free and open source ProFTPD file transfer protocol (FTP) server can be exploited to copy files to vulnerable servers and possibly execute arbitrary code.
ProFTPD is advertised as a “high-performance, extremely configurable, and most of all a secure FTP server.” ProFTPD is used by many projects and organizations, including SourceForge, Samba, and Linksys, and it’s available in many Linux and Unix distributions.
Germany-based researcher Tobias Mädel discovered that the software is affected by a vulnerability related to the mod_copy module, which implements commands for copying files and folders on the same server without the necessity to first transfer the data to the client. The module is enabled by default in most operating systems.
Mädel told SecurityWeek that exploitation of the vulnerability requires access (at least anonymous access) to the targeted machine.
“Attacks could be made (for example) on Open Source mirror servers,” the researcher explained. “These have anonymous access enabled, often use ProFTPd and host a lot of binary files. A malicious actor would need to get his malicious file to this machine somehow (for example by distributing it at some unrelated project which is also mirrored on this server) and can then override any file on the mirror server with this (infected) version. This could be used to swap out .iso files or .exe installers where no strict validations (like GPG signatures on apt repositories) are in place.”
Another attack scenario described by the expert leverages auto-updaters. He discovered that Gajim, a popular open source XMPP client that used ProFTPD on its update server, allowed attackers to upload arbitrary files to the server and then execute PHP code, as well as replace their binaries. Gajim developers were privately notified of the issue and rolled out a fix.
A Shodan search for “ProFTPd Anonymous” (i.e., servers that allow anonymous access) shows over 28,000 potentially vulnerable servers, mostly in the United States (9,400), Germany (2,600), Japan (2,000), Russia (1,300) and France (1,200), but Mädel said an attacker would have to connect to each server and attempt to issue a command to see if it’s actually vulnerable.
The advisories published by Debian and SUSE say the flaw “allows for remote code execution and information disclosure without authentication.” However, Mädel told SecurityWeek that he considers remote code execution an edge case for this vulnerability as the targeted server would need to be configured in a certain way, not the typical configuration.
“I’ve seen web servers using ProFTPd with PHP and anonymous access. In this scenario RCE is possible,” he explained.
Mädel said he reported his findings to ProFTPD developers in late September 2018, but they did not take any action until recently, when the researcher again stumbled upon the issue while working on a project and informed the Debian security team, which contacted the software’s developers.
A fix has been developed and backported to ProFTPD 1.3.6, a version announced in April 2017, but the patch has yet to be included in a new release.
The researcher pointed out that CVE-2019-12815 is technically very similar to an old vulnerability in ProFTPD, CVE-2015-3306, but the flaw discovered in 2015 was “much more dangerous.”