ProFTPd is an open-source, cross-platform FTP server and is one among the most popular FTP servers used in Unix-like environments. It comes pre-installed with many Linux and Unix distributions and is used by a number of popular businesses and websites including SourceForge, Samba and Slackware.
An improper access control vulnerability discovered in ProFTPD, which under certain conditions exploits to execute arbitrary code and cause information disclosure. Identifies the vulnerability as CVE-2019-12815 and resides in ProFTPD’s mod_copy module. Vulnerability management solution is essential here. The mod_copy enables default in most distributions. This allows users to copy files/directories from one place to another on a server without having to transfer the data to the client and back. A patch management tool can remediate this vulnerability.
According to the ProFTPD bug report, the mod_copy module provides two custom commands SITE CPFR and SITE CPTO, which do not follow permission directions specified as per configuration and thus allow remote users to copy a file to the current folder even if they don’t have permission. The vulnerability exploites by unauthorizedly copying an executable file to a location on the server where it executes.
It is important to note that not every FTP server running vExploiting the vulnerable ProFTPD FTP server remotely is not possible in every case. Successful exploitation requires the following conditions:
- An attacker should be able to authenticate to the ProFTPD server either by a user account or an anonymous account.
- Enable the mod_copy module.
- The FTP directory should also be accessible from a web server.
Affected Products:
The vulnerability affects ProFTPD versions 1.3.4 through 1.3.6 (Note: also affects ProFTPd 1.3.6 and does not contain the fix)
Impact:
The flaw may allow remote code execution or information disclosure.
Solution:
According to the ProFTPD bug report, the fix for this vulnerability merges and backported to the version 1.3.6 branch. However, the researcher who reports this bug states in the advisory that the vulnerability wasn’t fixed in version 1.3.6
Workaround:
Please refer to this KB article.