ProFTPD Compromised Source Packages Trojaned Distribution

Critical Nessus Plugin ID 50989

Synopsis

The FTP server contains a backdoor allowing execution of arbitrary code.

Description

The remote host is using ProFTPD, a free FTP server for Unix and Linux.

The version of ProFTPD installed on the remote host has been compiled with a backdoor in 'src/help.c', apparently related to a compromise of the main distribution server for the ProFTPD project on the 28th of November 2010 around 20:00 UTC and not addressed until the 2nd of December 2010.

By sending a special HELP command, an unauthenticated, remote attacker can gain a shell and execute arbitrary commands with system privileges.

Note that the compromised distribution file also contained code that ran as part of the initial configuration step and sent a special HTTP request to a server in Saudi Arabia. If this install was built from source, you should assume that the author of the backdoor is already aware of it.

Solution

Reinstall the host from known, good sources.

See Also

http://www.theregister.co.uk/2010/12/02/proftpd_backdoored/

http://xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/

http://www.nessus.org/u?74de525d

Plugin Details

Severity: Critical

ID: 50989

File Name: proftpd_1_3_3c_backdoor.nasl

Version: 1.13

Type: remote

Family: FTP

Published: 2010/12/06

Modified: 2018/08/08

Dependencies: 10092

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 8.8

Temporal Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:proftpd:proftpd

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2010/12/02

Vulnerability Publication Date: 2010/12/02

Exploitable With

Metasploit (ProFTPD-1.3.3c Backdoor Command Execution)

Reference Information

BID: 45150

EDB-ID: 15662