freeFTPd / freeSSHd SFTP Authentication Bypass

high Nessus Plugin ID 63223

Synopsis

The SFTP server running on the remote host has an authentication bypass vulnerability.

Description

The SFTP server included with freeFTPd or freeSSHd has an authentication bypass vulnerability. Authentication can be bypassed by opening an SSH channel before any credentials are provided. A remote, unauthenticated attacker could exploit this to login without providing credentials.

After logging in, uploading specially crafted files could result in arbitrary code execution as SYSTEM. Refer to the researcher's advisory for more information.

Solution

There is no known solution at this time.

See Also

https://seclists.org/fulldisclosure/2010/Aug/132

https://seclists.org/fulldisclosure/2012/Dec/10

https://seclists.org/fulldisclosure/2012/Dec/11

Plugin Details

Severity: High

ID: 63223

File Name: freeftpd_sftp_auth_bypass.nasl

Version: 1.17

Type: remote

Published: 12/11/2012

Updated: 6/12/2020

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 9.5

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:F/RL:U/RC:C

CVSS Score Source: CVE-2012-6067

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: E:F/RL:U/RC:C

Vulnerability Information

CPE: cpe:/a:freeftpd:freeftpd, cpe:/a:freesshd:freesshd

Excluded KB Items: global_settings/supplied_logins_only

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 8/11/2010

Exploitable With

Core Impact

Metasploit (Freesshd Authentication Bypass)

Reference Information

CVE: CVE-2012-6066, CVE-2012-6067

BID: 56782, 56785

EDB-ID: 23079, 23080, 24133