cbcvebase.
CVE-2010-4221
published 2010-11-09

CVE-2010-4221: Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code…

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
91.30%
99.8th percentile
Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianproftpd-dfsg< proftpd-dfsg 1.3.3a-5 (bookworm)proftpd-dfsg 1.3.3a-5 (bookworm)
proftpdproftpd
proftpdproftpd

Detection & IOCsextracted from sources · hover to see the quote

commandSITE <NUL-padding><0xFF*IACCount><offset-padding><ret><writable><payload>\r\n
bytes
\xff (Telnet IAC) repeated large count (e.g. 1018–8192 times) in FTP command stream
bytes
BadChars: \x09\x0a\x0b\x0c\x0d\x20\xff
bytes
BadChars: \x00\x0a\x0d
  • Detect exploitation attempts by monitoring FTP/FTPS connections (port 21/990) for a high density of 0xFF (Telnet IAC) bytes within a single command, particularly following a SITE command. Counts of 1018–8192 consecutive 0xFF bytes are characteristic of this exploit.
  • Fingerprint vulnerable ProFTPD versions via FTP banner matching regex /ProFTPD (1\.3\.[23][^ ]) Server/i — versions 1.3.2rc3 through 1.3.3b are vulnerable; 1.3.3c and later are patched.
  • On Linux targets with SSP (stack smashing protection), the exploit brute-forces the stack canary cookie by making repeated connections (daemon forks, so cookie is stable across forks). Detect by alerting on a high rate of repeated FTP connections from the same source IP that each send large IAC-padded SITE commands.
  • The exploit payload prepends a null-byte padding sequence before the 0xFF IAC flood. Detect FTP commands beginning with one or more 0x00 bytes followed immediately by 0xFF repetitions as a strong exploit indicator.
  • The exploit targets the pr_netio_telnet_gets function in netio.c. If source is available, instrument or monitor this function for oversized input buffers as a host-based detection point.
  • ·Stack Smashing Protection (SSP/stack canary) compiled into the ProFTPD binary significantly reduces single-attempt success probability but does NOT prevent exploitation due to the forking daemon model — the canary value is inherited by all child processes and can be brute-forced.
  • ·Most Linux distribution packages either do not ship a vulnerable ProFTPD version or compile with SSP; however, third-party/Plesk-bundled binaries (Debian, SUSE, CentOS) are confirmed vulnerable and lack these mitigations.
  • ·The exploit sets PrependChrootBreak=true by default, meaning successful exploitation will attempt to escape any chroot jail configured for ProFTPD — detection/containment strategies relying solely on chroot are insufficient.
  • ·The vulnerability affects both plain FTP and FTPS (encrypted) servers, meaning TLS inspection is required to detect exploit traffic on FTPS deployments.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.