Debian proftpd root Privilege Escalation

High Nessus Network Monitor Plugin ID 1817

Synopsis

The remote host is vulnerable to multiple attack vectors

Description

The remote FTP server is subject to two flaws:
- There is a configuration error in the postinst script, when the user enters 'yes', when asked if anonymous access should be enabled. The postinst script wrongly leaves the 'run as uid/gid root' configuration option in /etc/proftpd.conf, and adds a 'run as uid/gid nobody' option that has no effect.
There is a bug that comes up when /var is a symlink, and proftpd is restarted. When stopping proftpd, the /var symlink is removed; when it's started again a file named /var is created.

Solution

Upgrade proftpd to proftpd-1.2.0pre10-2.0potato1 or higher.

See Also

http://www.debian.org/security/2001/dsa-032

Plugin Details

Severity: High

ID: 1817

File Name: 1817.prm

Family: FTP Servers

Published: 2004/08/20

Modified: 2016/11/23

Dependencies: 1851

Nessus ID: 11450

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux

Reference Information

CVE: CVE-2001-0456

OSVDB: 5638