vsftpd Smiley Face Backdoor

Critical Nessus Plugin ID 55523

Synopsis

The remote FTP server contains a backdoor, allowing execution of arbitrary code.

Description

The version of vsftpd running on the remote host has been compiled with a backdoor. Attempting to login with a username containing :) (a smiley face) triggers the backdoor, which results in a shell listening on TCP port 6200. The shell stops listening after a client connects to and disconnects from it.

An unauthenticated, remote attacker could exploit this to execute arbitrary code as root.

Solution

Validate and recompile a legitimate copy of the source code.

See Also

http://pastebin.com/AetT9sS5

http://www.nessus.org/u?abcbc915

Plugin Details

Severity: Critical

ID: 55523

File Name: vsftpd_smileyface_backdoor.nasl

Version: 1.6

Type: remote

Family: FTP

Published: 2011/07/06

Modified: 2018/05/16

Dependencies: 10092, 11153

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Information

Excluded KB Items: global_settings/supplied_logins_only

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2011/07/03

Vulnerability Publication Date: 2011/07/03

Exploitable With

Metasploit (VSFTPD v2.3.4 Backdoor Command Execution)

Reference Information

BID: 48539

EDB-ID: 17491