Proftpd 1.3.5e Exploit

[Channing Arther]

Thesetools are widely used by penetration testers, network administrators, and threat actors alike. The first tool is Nmap, short for Network Mapper. For network admins, Nmap helps to find networked computers, discover open ports, available services, and detect known vulnerabilities on their network. Once a list of services is discovered, they can be exploited.

This is part of the reconnaissance or scanning phase where the threat actor wants to learn as much about the target system as they can. Because this is a demonstration we are not going to be quiet about our attack and will do nothing to conceal our intentions. We will use -sV option that tells us the current version of any services that are running. This is a noisy attack that should be picked up by most intrusion detection systems or SIEMs.

The results from this command reveal a lot about our target system. Each open port is vulnerable to a potential attack. In our simulated attack, we are going to concentrate on the ftp service running the proftpd 1.3.3c software on Port 21.

The proftpd 1.3.3c software was patched over 10 years ago but serves as a good example of how a vulnerable piece of software can be exploited. It is highly unlikely to still be running as an unpatched service.

We could use Google to learn more about the vulnerabilities in the proftpd 1.3.3c server, or we can use the next tool in our toolbox, Metasploit, and use its built-in database to find known vulnerabilities.

Metasploit comes with an extensive database and technical details of over 180,000 vulnerabilites and 4000 exploits. These are all searchable with the search command from the Metasploit command line. We are going to use this database to find proftpd 1.3.3c vulnerabilities and known exploits.

Now we need to make some site-specific configuration settings. The first is the IP address of the target machine. Set the remote host IP address with the RHOSTS command. This is the same IP address we used during our Nmap scan earlier and the machine that is running the proftpd_1.3.3c server.

Once we have a proper shell we can move through the system as root, having full access to the Linux environment. This is where the system is most vulnerable. As root we can install rootkits, malware, ransomware, and exfiltrate data.

Data exfiltration is when a threat actor performs the unauthorized copying, transfer, or retrieval of data from a computer or server. As root, we have full access to the computer and can do anything we want including data exfiltration.

The Linux /etc/password file contains a list of system users, combined with the /etc/shadow file which contains encrypted passwords. Together these two files can be hacked to reveal username/password combinations for lateral movement through the network.

We exfiltrated /etc/passwd and /etc/shadow to our local machine. There is no reason that we could not also exfiltrate databases, customer information, stored credit cards, or company-sensitive information out of the network to a remote location as we did with the password files.

Cracking the hashed passwords is beyond the scope of this walkthrough, but if you can crack the passwords, an attacker can use the same credentials to pivot to other machines across the network. John the Ripper and Hashcat are two well-known password cracking tools that can quickly reveal username/password combinations.

The Exploit Database is maintained by OffSec, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is a non-profit project that is provided as a public service by OffSec.

The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Our aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.

The Google Hacking Database (GHDB) is a categorized index of Internet search engine queries designed to uncover interesting, and usually sensitive, information made publicly available on the Internet. In most cases, this information was never meant to be made public but due to any number of factors this information was linked in a web document that was crawled by a search engine that subsequently followed that link and indexed the sensitive information.

After nearly a decade of hard work by the community, Johnny turned the GHDB over to OffSec in November 2010, and it is now maintained as an extension of the Exploit Database. Today, the GHDB includes searches for other online search engines such as Bing, and other online repositories like GitHub, producing different, yet equally valuable results.

This module exploits a malicious backdoor that was added to the ProFTPD download archive. This backdoor was present in the proftpd-1.3.3c.tar.[bz2gz] archive between November 28th 2010 and 2nd December 2010

This module exploits the SITE CPFR/CPTO mod_copy commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the 'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible.

I am shocked. I am running Ubuntu 14.04, with automatic security upgrades.

Also I ran updates and upgrades almost weekly, so the system should be update. But the most update proftpd package in Ubuntu 14.04 is the insucure dangerous version!!

I thought my system would be safe on an up to date Ubuntu 14.04 LTS. Well, I was wrong.

Tests for the presence of the ProFTPD 1.3.3c backdoor reported as BID45150. This script attempts to exploit the backdoor using the innocuousid command by default, but that can be changed with theftp-proftpd-backdoor.cmd script argument.

After spending the week doing the Advanced Web App Penetration Testing class, what could be better than spending a couple of day doing exploit dev! Yeah, nobody said I was smart, but I am a sucker for punishment.

The class kicked off with a discussion of the dynamic Linux memory, followed quickly by a couple of interesting (albeit similar) heap exploit exercises. The class moved quickly (lots of content, little time) into overwriting function pointers (BSS segment exploitation). As usual the exercises (labs) that follow each section helped reinforce the information from the previous section. Although the exercise programs are simple (and often simple purposed) they do a good job of easing you into the exploit type your working on without distracting you with huge monolithic programs.

Some background info was a little fluffy for my liking. For example, the section on Microsoft patches started off with a discussion on how Microsoft releases patches and how to get patches from the MS website. Good info, but mostly known and not really something that warrants more than a 60 second refresher.

The contents of this personal blog are solely my own opinions and comments, as such they do not reflect the opinions of my employer(s) past, present or future. No legal liability is accepted for anything you do, think, or consider fact as the basis of articles and links posted on this blog.

Note: A large portion of content I post on my blog comes from "live blogging" of security conferences. These posts are in notes form and are written live during a talk. As such errors and emissions are expected. I'm only human after all!

On Sunday, the 28th of November 2010 around 20:00 UTC the maindistribution server of the ProFTPD project was compromised. Theattackers most likely used an unpatched security issue in the FTP daemonto gain access to the server and used their privileges to replace thesource files for ProFTPD 1.3.3c with a version which contained a backdoor.The unauthorized modification of the source code was noticed byDaniel Austin and relayed to the ProFTPD project by Jeroen Geilman onWednesday, December 1 and fixed shortly afterwards.

The fact that the server acted as the main FTP site for the ProFTPDproject (ftp.proftpd.org) as well as the rsync distribution server(rsync.proftpd.org) for all ProFTPD mirror servers means that anyone whodownloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28to 2010-12-02 will most likely be affected by the problem.

Users are strongly advised to check systems running the affected code forsecurity compromises and compile/run a known good version of the code.To verify the integrity of the source files, use the GPG signaturesavailable on the FTP servers as well on the ProFTPD homepage at:

All downloads of ProFTPD-1.3.3c on the official website between 2010-11-28 and 2010-12-02 are potentially compromised versions. You are advised to check that your version is not compromised using the tools provided below.

A vulnerability was found in ProFTPD 1.3.4e/1.3.5 (File Transfer Software). It has been declared as critical. This vulnerability affects an unknown code of the component mod_copy. The manipulation of the argument cpfr/cpto with an unknown input leads to a access control vulnerability (File). The CWE definition for the vulnerability is CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.

3a8082e126