ID CVE-2010-4221
Summary Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.
References
Vulnerable Configurations
  • ProFTPD 1.3.2 release candidate 3
    cpe:2.3:a:proftpd:proftpd:1.3.2:rc3
  • ProFTPD 1.3.2 release candidate 4
    cpe:2.3:a:proftpd:proftpd:1.3.2:rc4
  • ProFTPD 1.3.2
    cpe:2.3:a:proftpd:proftpd:1.3.2
  • ProFTPD 1.3.2a
    cpe:2.3:a:proftpd:proftpd:1.3.2:a
  • ProFTPD 1.3.2b
    cpe:2.3:a:proftpd:proftpd:1.3.2:b
  • ProFTPD 1.3.2c
    cpe:2.3:a:proftpd:proftpd:1.3.2:c
  • ProFTPD 1.3.2d
    cpe:2.3:a:proftpd:proftpd:1.3.2:d
  • ProFTPD 1.3.2e
    cpe:2.3:a:proftpd:proftpd:1.3.2:e
  • ProFTPD 1.3.3 release candidate 1
    cpe:2.3:a:proftpd:proftpd:1.3.3:rc1
  • ProFTPD 1.3.3 release candidate 2
    cpe:2.3:a:proftpd:proftpd:1.3.3:rc2
  • ProFTPD 1.3.3 release candidate 3
    cpe:2.3:a:proftpd:proftpd:1.3.3:rc3
  • ProFTPD 1.3.3 release candidate 4
    cpe:2.3:a:proftpd:proftpd:1.3.3:rc4
  • ProFTPD 1.3.3
    cpe:2.3:a:proftpd:proftpd:1.3.3
  • ProFTPD 1.3.3a
    cpe:2.3:a:proftpd:proftpd:1.3.3:a
  • ProFTPD 1.3.3b
    cpe:2.3:a:proftpd:proftpd:1.3.3:b
CVSS
Base: 10.0 (as of 10-11-2010 - 12:40)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD). CVE-2010-4221. Remote exploit for linux platform
    id EDB-ID:16878
    last seen 2016-02-02
    modified 2010-12-02
    published 2010-12-02
    reporter metasploit
    source https://www.exploit-db.com/download/16878/
    title ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow FreeBSD
  • description ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux). CVE-2010-4221. Remote exploit for linux platform
    id EDB-ID:16851
    last seen 2016-02-02
    modified 2011-01-09
    published 2011-01-09
    reporter metasploit
    source https://www.exploit-db.com/download/16851/
    title ProFTPD 1.3.2rc3 - 1.3.3b - Telnet IAC Buffer Overflow Linux
  • description ProFTPD IAC Remote Root Exploit. CVE-CVE-2010-4221. Remote exploit for linux platform
    id EDB-ID:15449
    last seen 2016-02-01
    modified 2010-11-07
    published 2010-11-07
    reporter kingcope
    source https://www.exploit-db.com/download/15449/
    title ProFTPD IAC 1.3.x - Remote Root Exploit
metasploit via4
  • description This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code.
    id MSF:EXPLOIT/FREEBSD/FTP/PROFTP_TELNET_IAC
    last seen 2019-03-16
    modified 2017-07-24
    published 2010-11-04
    reliability Great
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/freebsd/ftp/proftp_telnet_iac.rb
    title ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
  • description This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code. The Debian Squeeze version of the exploit uses a little ROP stub to indirectly transfer the flow of execution to a pool buffer (the cmd_rec "res" in "pr_cmd_read"). The Ubuntu version uses a ROP stager to mmap RWX memory, copy a small stub to it, and execute the stub. The stub then copies the remainder of the payload in and executes it. NOTE: Most Linux distributions either do not ship a vulnerable version of ProFTPD, or they ship a version compiled with stack smashing protection. Although SSP significantly reduces the probability of a single attempt succeeding, it will not prevent exploitation. Since the daemon forks in a default configuration, the cookie value will remain the same despite some attempts failing. By making repeated requests, an attacker can eventually guess the cookie value and exploit the vulnerability. The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness and could allow exploitation in semi-reasonable amount of time.
    id MSF:EXPLOIT/LINUX/FTP/PROFTP_TELNET_IAC
    last seen 2019-02-05
    modified 2017-08-29
    published 2010-11-05
    reliability Great
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/ftp/proftp_telnet_iac.rb
    title ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
nessus via4
  • NASL family FTP
    NASL id PROFTPD_1_3_3C.NASL
    description The remote host is using ProFTPD, a free FTP server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host is earlier than 1.3.3c. Such versions are reportedly affected by the following vulnerabilities : - When ProFTPD is compiled with 'mod_site_misc' and a directory is writable, a user can use 'mod_site_misc' to create or delete a directory outside the writable directory, create a symlink located outside the writable directory, or change the time of a file located outside the writable directory. (Bug #3519) - A stack-based buffer overflow exists in the server's 'pr_netio_telnet_gets()' function, which can be triggered by when reading user input containing a TELNET_IAC escape sequence. (Bug #3521) Note that Nessus did not actually test for the flaws but instead has relied on the version in ProFTPD's banner so this may be a false positive.
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 50544
    published 2010-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50544
    title ProFTPD < 1.3.3c Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-17091.NASL
    description This is an update to the current upstream maintenance release, which addresses two security issues that can be exploited by malicious users to manipulate certain data and compromise a vulnerable system. - A logic error in the code for processing user input containing the Telnet IAC (Interpret As Command) escape sequence can be exploited to cause a stack-based buffer overflow by sending specially crafted input to the FTP or FTPS service. Successful exploitation may allow execution of arbitrary code. This has been assigned the name CVE-2010-4221. More details can be found at http://bugs.proftpd.org/show_bug.cgi?id=3521 - An input validation error within the 'mod_site_misc' module can be exploited to e.g. create and delete directories, create symlinks, and change the time of files located outside a writable directory. Only configurations using 'mod_site_misc', which is not enabled by default, and where the attacker has write access to a directory, are vulnerable to this issue, which has been assigned CVE-2010-3867. More details can be found at http://bugs.proftpd.org/show_bug.cgi?id=3519 This update also fixes an issue with SQLite authentication and adds a new module 'mod_geoip', which can be used to look up geographical information on connecting clients and use that to set access controls for the server. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 50551
    published 2010-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50551
    title Fedora 14 : proftpd-1.3.3c-1.fc14 (2010-17091)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-17220.NASL
    description This is an update to the current upstream maintenance release, which addresses two security issues that can be exploited by malicious users to manipulate certain data and compromise a vulnerable system. - A logic error in the code for processing user input containing the Telnet IAC (Interpret As Command) escape sequence can be exploited to cause a stack-based buffer overflow by sending specially crafted input to the FTP or FTPS service. Successful exploitation may allow execution of arbitrary code. This has been assigned the name CVE-2010-4221. More details can be found at http://bugs.proftpd.org/show_bug.cgi?id=3521 - An input validation error within the 'mod_site_misc' module can be exploited to e.g. create and delete directories, create symlinks, and change the time of files located outside a writable directory. Only configurations using 'mod_site_misc', which is not enabled by default, and where the attacker has write access to a directory, are vulnerable to this issue, which has been assigned CVE-2010-3867. More details can be found at http://bugs.proftpd.org/show_bug.cgi?id=3519 The update from 1.3.2d to 1.3.3c also includes a large number of non-security bugfixes and a number of additional loadable modules for enhanced functionality : - mod_geoip - mod_sftp - mod_sftp_pam - mod_sftp_sql - mod_shaper - mod_sql_passwd - mod_tls_shmcache There is also a new utility 'ftpscrub' for scrubbing the scoreboard file. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 50568
    published 2010-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50568
    title Fedora 12 : proftpd-1.3.3c-1.fc12 (2010-17220)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-17098.NASL
    description This is an update to the current upstream maintenance release, which addresses two security issues that can be exploited by malicious users to manipulate certain data and compromise a vulnerable system. - A logic error in the code for processing user input containing the Telnet IAC (Interpret As Command) escape sequence can be exploited to cause a stack-based buffer overflow by sending specially crafted input to the FTP or FTPS service. Successful exploitation may allow execution of arbitrary code. This has been assigned the name CVE-2010-4221. More details can be found at http://bugs.proftpd.org/show_bug.cgi?id=3521 - An input validation error within the 'mod_site_misc' module can be exploited to e.g. create and delete directories, create symlinks, and change the time of files located outside a writable directory. Only configurations using 'mod_site_misc', which is not enabled by default, and where the attacker has write access to a directory, are vulnerable to this issue, which has been assigned CVE-2010-3867. More details can be found at http://bugs.proftpd.org/show_bug.cgi?id=3519 This update also fixes an issue with SQLite authentication and adds a new module 'mod_geoip', which can be used to look up geographical information on connecting clients and use that to set access controls for the server. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 50553
    published 2010-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50553
    title Fedora 13 : proftpd-1.3.3c-1.fc13 (2010-17098)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201309-15.NASL
    description The remote host is affected by the vulnerability described in GLSA-201309-15 (ProFTPD: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in ProFTPD. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker could possibly execute arbitrary code with the privileges of the process, perform man-in-the-middle attacks to spoof arbitrary SSL servers, cause a Denial of Service condition, or read and modify arbitrary files. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 70111
    published 2013-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70111
    title GLSA-201309-15 : ProFTPD: Multiple vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_533D20E7F71F11DF9AE1000BCDF0A03B.NASL
    description Tippingpoint reports : This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ProFTPD. Authentication is not required to exploit this vulnerability. The flaw exists within the proftpd server component which listens by default on TCP port 21. When reading user input if a TELNET_IAC escape sequence is encountered the process miscalculates a buffer length counter value allowing a user controlled copy of data to a stack buffer. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the proftpd process.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 50700
    published 2010-11-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50700
    title FreeBSD : proftpd -- remote code execution vulnerability (533d20e7-f71f-11df-9ae1-000bcdf0a03b)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-227.NASL
    description Multiple vulnerabilities were discovered and corrected in proftpd : Multiple directory traversal vulnerabilities in the mod_site_misc module in ProFTPD before 1.3.3c allow remote authenticated users to create directories, delete directories, create symlinks, and modify file timestamps via directory traversal sequences in a (1) SITE MKDIR, (2) SITE RMDIR, (3) SITE SYMLINK, or (4) SITE UTIME command (CVE-2010-3867). Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server (CVE-2010-4221). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=4 90 The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 50571
    published 2010-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50571
    title Mandriva Linux Security Advisory : proftpd (MDVSA-2010:227)
  • NASL family FTP
    NASL id PROFTPD_RCE.NASL
    description The remote ProFTP daemon is susceptible to an overflow condition. The TELNET_IAC escape sequence handling fails to properly sanitize user- supplied input resulting in a stack overflow. With a specially crafted request, an unauthenticated, remote attacker could potentially execute arbitrary code.
    last seen 2019-02-21
    modified 2018-08-31
    plugin id 70446
    published 2013-10-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70446
    title ProFTPD TELNET IAC Escape Sequence Remote Buffer Overflow
refmap via4
bid 44562
confirm
fedora
  • FEDORA-2010-17091
  • FEDORA-2010-17098
  • FEDORA-2010-17220
mandriva MDVSA-2010:227
misc http://www.zerodayinitiative.com/advisories/ZDI-10-229/
secunia
  • 42052
  • 42217
vupen
  • ADV-2010-2941
  • ADV-2010-2959
  • ADV-2010-2962
saint via4
bid 44562
description ProFTPD Telnet IAC buffer overflow
osvdb 68985
title proftpd_telnet_iac
type remote
Last major update 14-09-2011 - 23:18
Published 09-11-2010 - 16:00
Back to Top