freeFTPd / freeSSHd SFTP Authentication Bypass

High Nessus Plugin ID 63223

Synopsis

The SFTP server running on the remote host has an authentication bypass vulnerability.

Description

The SFTP server included with freeFTPd or freeSSHd has an authentication bypass vulnerability. Authentication can be bypassed by opening an SSH channel before any credentials are provided. A remote, unauthenticated attacker could exploit this to login without providing credentials.

After logging in, uploading specially crafted files could result in arbitrary code execution as SYSTEM. Refer to the researcher's advisory for more information.

Solution

There is no known solution at this time.

See Also

http://seclists.org/fulldisclosure/2010/Aug/132

http://seclists.org/fulldisclosure/2012/Dec/10

http://seclists.org/fulldisclosure/2012/Dec/11

Plugin Details

Severity: High

ID: 63223

File Name: freeftpd_sftp_auth_bypass.nasl

Version: $Revision: 1.12 $

Type: remote

Published: 2012/12/11

Modified: 2017/12/19

Dependencies: 10267

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:U/RC:ND

CVSSv3

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Vulnerability Information

CPE: cpe:/a:freeftpd:freeftpd, cpe:/a:freesshd:freesshd

Excluded KB Items: global_settings/supplied_logins_only

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 2010/08/11

Exploitable With

Core Impact

Metasploit (Freesshd Authentication Bypass)

Reference Information

CVE: CVE-2012-6066, CVE-2012-6067

BID: 56782, 56785

EDB-ID: 23079, 23080, 24133