module
ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
| Disclosed | Created |
|---|---|
| 2010-11-01 | 2018-05-30 |
Disclosed
2010-11-01
Created
2018-05-30
Description
This module exploits a stack-based buffer overflow in versions of ProFTPD
server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a
large number of Telnet IAC commands, an attacker can corrupt memory and
execute arbitrary code.
The Debian Squeeze version of the exploit uses a little ROP stub to indirectly
transfer the flow of execution to a pool buffer (the cmd_rec "res" in
"pr_cmd_read").
The Ubuntu version uses a ROP stager to mmap RWX memory, copy a small stub
to it, and execute the stub. The stub then copies the remainder of the payload
in and executes it.
NOTE: Most Linux distributions either do not ship a vulnerable version of
ProFTPD, or they ship a version compiled with stack smashing protection.
Although SSP significantly reduces the probability of a single attempt
succeeding, it will not prevent exploitation. Since the daemon forks in a
default configuration, the cookie value will remain the same despite
some attempts failing. By making repeated requests, an attacker can eventually
guess the cookie value and exploit the vulnerability.
The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness
and could allow exploitation in semi-reasonable amount of time.
server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a
large number of Telnet IAC commands, an attacker can corrupt memory and
execute arbitrary code.
The Debian Squeeze version of the exploit uses a little ROP stub to indirectly
transfer the flow of execution to a pool buffer (the cmd_rec "res" in
"pr_cmd_read").
The Ubuntu version uses a ROP stager to mmap RWX memory, copy a small stub
to it, and execute the stub. The stub then copies the remainder of the payload
in and executes it.
NOTE: Most Linux distributions either do not ship a vulnerable version of
ProFTPD, or they ship a version compiled with stack smashing protection.
Although SSP significantly reduces the probability of a single attempt
succeeding, it will not prevent exploitation. Since the daemon forks in a
default configuration, the cookie value will remain the same despite
some attempts failing. By making repeated requests, an attacker can eventually
guess the cookie value and exploit the vulnerability.
The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness
and could allow exploitation in semi-reasonable amount of time.
Author
jduck jduck@metasploit.com
Platform
Linux
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.