freeFTPd / freeSSHd SFTP Authentication Bypass

High Nessus Plugin ID 63223

Synopsis

The SFTP server running on the remote host has an authentication bypass vulnerability.

Description

The SFTP server included with freeFTPd or freeSSHd has an authentication bypass vulnerability. Authentication can be bypassed by opening an SSH channel before any credentials are provided. A remote, unauthenticated attacker could exploit this to login without providing credentials.

After logging in, uploading specially crafted files could result in arbitrary code execution as SYSTEM. Refer to the researcher's advisory for more information.

Solution

There is no known solution at this time.

See Also

https://seclists.org/fulldisclosure/2010/Aug/132

https://seclists.org/fulldisclosure/2012/Dec/10

https://seclists.org/fulldisclosure/2012/Dec/11

Plugin Details

Severity: High

ID: 63223

File Name: freeftpd_sftp_auth_bypass.nasl

Version: 1.15

Type: remote

Published: 2012/12/11

Updated: 2018/11/15

Dependencies: 10267

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:U/RC:C

CVSS v3.0

Base Score: 7.3

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:U/RC:C

Vulnerability Information

CPE: cpe:/a:freeftpd:freeftpd, cpe:/a:freesshd:freesshd

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 2010/08/11

Exploitable With

Core Impact

Metasploit (Freesshd Authentication Bypass)

Reference Information

CVE: CVE-2012-6066, CVE-2012-6067

BID: 56782, 56785

EDB-ID: 23079, 23080, 24133