vsftpd Smiley Face Backdoor

high Nessus Plugin ID 55523

Synopsis

The remote FTP server contains a backdoor, allowing execution of arbitrary code.

Description

The version of vsftpd running on the remote host has been compiled with a backdoor. Attempting to login with a username containing :) (a smiley face) triggers the backdoor, which results in a shell listening on TCP port 6200. The shell stops listening after a client connects to and disconnects from it.

An unauthenticated, remote attacker could exploit this to execute arbitrary code as root.

Solution

Validate and recompile a legitimate copy of the source code.

See Also

https://pastebin.com/AetT9sS5

http://www.nessus.org/u?a76e4567

Plugin Details

Severity: High

ID: 55523

File Name: vsftpd_smileyface_backdoor.nasl

Version: 1.9

Type: remote

Family: FTP

Published: 7/6/2011

Updated: 11/15/2018

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Information

Excluded KB Items: global_settings/supplied_logins_only

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/3/2011

Vulnerability Publication Date: 7/3/2011

Exploitable With

Metasploit (VSFTPD v2.3.4 Backdoor Command Execution)

Reference Information

BID: 48539