freeFTPd / freeSSHd SFTP Authentication Bypass

critical Nessus Plugin ID 63223

Language:

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 7.4

Synopsis

The SFTP server running on the remote host has an authentication bypass vulnerability.

Description

The SFTP server included with freeFTPd or freeSSHd has an authentication bypass vulnerability. Authentication can be bypassed by opening an SSH channel before any credentials are provided. A remote, unauthenticated attacker could exploit this to login without providing credentials.

After logging in, uploading specially crafted files could result in arbitrary code execution as SYSTEM. Refer to the researcher's advisory for more information.

Solution

There is no known solution at this time.

See Also

https://seclists.org/fulldisclosure/2010/Aug/132

https://seclists.org/fulldisclosure/2012/Dec/10

https://seclists.org/fulldisclosure/2012/Dec/11

Plugin Details

Severity: Critical

ID: 63223

File Name: freeftpd_sftp_auth_bypass.nasl

Version: 1.17

Type: remote

Published: 12/11/2012

Updated: 6/12/2020

Dependencies: ssh_detect.nasl

Risk Information

Risk Factor: Critical

VPR Score: 7.4

CVSS Score Source: CVE-2012-6067

CVSS v2.0

Base Score: 10

Temporal Score: 9.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:U/RC:C

CVSS v3.0

Base Score: 7.3

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:U/RC:C

Vulnerability Information

CPE: cpe:2.3:a:freesshd:freesshd:*:*:*:*:*:*:*:*, cpe:2.3:a:freeftpd:freeftpd:*:*:*:*:*:*:*:*

Excluded KB Items: global_settings/supplied_logins_only

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 8/11/2010

Exploitable With

Core Impact

Metasploit (Freesshd Authentication Bypass)

Reference Information

CVE: CVE-2012-6066, CVE-2012-6067

BID: 56785, 56782

EDB-ID: 23079, 23080, 24133