CVE-2010-4221
published 2010-11-09CVE-2010-4221: Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code…
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
91.30%
99.8th percentile
Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | proftpd-dfsg | < proftpd-dfsg 1.3.3a-5 (bookworm) | proftpd-dfsg 1.3.3a-5 (bookworm) |
| proftpd | proftpd | — | — |
| proftpd | proftpd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xff (Telnet IAC) repeated large count (e.g. 1018–8192 times) in FTP command stream
bytes↗
BadChars: \x09\x0a\x0b\x0c\x0d\x20\xff
bytes↗
BadChars: \x00\x0a\x0d
- →Detect exploitation attempts by monitoring FTP/FTPS connections (port 21/990) for a high density of 0xFF (Telnet IAC) bytes within a single command, particularly following a SITE command. Counts of 1018–8192 consecutive 0xFF bytes are characteristic of this exploit. ↗
- →Fingerprint vulnerable ProFTPD versions via FTP banner matching regex /ProFTPD (1\.3\.[23][^ ]) Server/i — versions 1.3.2rc3 through 1.3.3b are vulnerable; 1.3.3c and later are patched. ↗
- →On Linux targets with SSP (stack smashing protection), the exploit brute-forces the stack canary cookie by making repeated connections (daemon forks, so cookie is stable across forks). Detect by alerting on a high rate of repeated FTP connections from the same source IP that each send large IAC-padded SITE commands. ↗
- →The exploit payload prepends a null-byte padding sequence before the 0xFF IAC flood. Detect FTP commands beginning with one or more 0x00 bytes followed immediately by 0xFF repetitions as a strong exploit indicator. ↗
- →The exploit targets the pr_netio_telnet_gets function in netio.c. If source is available, instrument or monitor this function for oversized input buffers as a host-based detection point. ↗
- ·Stack Smashing Protection (SSP/stack canary) compiled into the ProFTPD binary significantly reduces single-attempt success probability but does NOT prevent exploitation due to the forking daemon model — the canary value is inherited by all child processes and can be brute-forced. ↗
- ·Most Linux distribution packages either do not ship a vulnerable ProFTPD version or compile with SSP; however, third-party/Plesk-bundled binaries (Debian, SUSE, CentOS) are confirmed vulnerable and lack these mitigations. ↗
- ·The exploit sets PrependChrootBreak=true by default, meaning successful exploitation will attempt to escape any chroot jail configured for ProFTPD — detection/containment strategies relying solely on chroot are insufficient. ↗
- ·The vulnerability affects both plain FTP and FTPS (encrypted) servers, meaning TLS inspection is required to detect exploit traffic on FTPS deployments. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gf2w-q84f-pmmw: Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio
ghsa_unreviewed·2022-05-17
CVE-2010-4221 [HIGH] CWE-119 GHSA-gf2w-q84f-pmmw: Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio
Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.
OSV
CVE-2010-4221: Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio
osv·2010-11-09·CVSS 10.0
CVE-2010-4221 [CRITICAL] CVE-2010-4221: Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio
Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.
Debian
CVE-2010-4221: proftpd-dfsg - Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in ne...
vendor_debian·2010·CVSS 10.0
CVE-2010-4221 [CRITICAL] CVE-2010-4221: proftpd-dfsg - Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in ne...
Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.
Scope: local
bookworm: resolved (fixed in 1.3.3a-5)
bullseye: resolved (fixed in 1.3.3a-5)
forky: resolved (fixed in 1.3.3a-5)
sid: resolved (fixed in 1.3.3a-5)
trixie: resolved (fixed in 1.3.3a-5)
No detection rules found.
Exploit-DB
ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit)
exploitdb·2011-01-09
CVE-2010-4221 ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit)
ProFTPd 1.3.2 rc3 'ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)',
'Description' => %q{
This module exploits a stack-based buffer overflow in versions of ProFTPD
server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a
large number of Telnet IAC commands, an attacker can corrupt memory and
execute arbitrary code.
The Debian Squeeze version of the exploit uses a little ROP stub to indirectly
transfer the flow of execution to a pool buffer (the cmd_rec "res" in
"pr_cmd_read").
The Ubuntu version uses a full-blow ROP to mmap RWX memory, copy a small stub
to it, and execute the stub. The stub then copies the remainder of the payload
in and executes it.
NOTE: Most Linux distributions either do not ship a vulnerable version of
ProFTPD, or they ship a version co
Exploit-DB
ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)
exploitdb·2010-12-02
CVE-2010-4221 ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)
ProFTPd 1.3.2 rc3 'ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)',
'Description' => %q{
This module exploits a stack-based buffer overflow in versions of ProFTPD
server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a
large number of Telnet IAC commands, an attacker can corrupt memory and
execute arbitrary code.
},
'Author' => [ 'jduck' ],
'Version' => '$Revision: 11208 $',
'References' =>
[
['CVE', '2010-4221'],
['OSVDB', '68985'],
['BID', '44562']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'PrependChrootBreak' => true
},
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
# NOTE: \xff's need to be doubled (per ftp/telnet stuff)
'BadChars' => "\x00\x0a\x0d",
'PrependEncoder' => "\x83\xec\x7f", # sub esp,0x7f (fix esp)
},
'Platform' => [ 'bsd' ],
Exploit-DB
ProFTPd IAC 1.3.x - Remote Command Execution
exploitdb·2010-11-07
CVE-2010-4221 ProFTPd IAC 1.3.x - Remote Command Execution
ProFTPd IAC 1.3.x - Remote Command Execution
---
# Exploit Title: ProFTPD IAC Remote Root Exploit
# Date: 7 November 2010
# Author: Kingcope
#
# E-DB Note: If you have issues with this exploit, alter lines 549, 555 and 563.
use IO::Socket;
$numtargets = 13;
@targets =
(
# Plain Stack Smashing
#Confirmed to work
["FreeBSD 8.1 i386, ProFTPD 1.3.3a Server (binary)",# PLATFORM SPEC
"FreeBSD", # OPERATING SYSTEM
0, # EXPLOIT STYLE
0xbfbfe000, # OFFSET START
0xbfbfff00, # OFFSET END
1029], # ALIGN
#Confirmed to work
["FreeBSD 8.0/7.3/7.2 i386, ProFTPD 1.3.2a/e/c Server (binary)",
"FreeBSD",
0,
0xbfbfe000,
0xbfbfff00,
1021],
# Return into Libc
#Confirmed to work
["Debian GNU/Linux 5.0, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1, # EXPLOIT STYLE
0x0804CCD4, # write(2) offset
8189,
Metasploit
ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
metasploit
ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code. The Debian Squeeze version of the exploit uses a little ROP stub to indirectly transfer the flow of execution to a pool buffer (the cmd_rec "res" in "pr_cmd_read"). The Ubuntu version uses a ROP stager to mmap RWX memory, copy a small stub to it, and execute the stub. The stub then copies the remainder of the payload in and executes it. NOTE: Most Linux distributions either do not ship a vulnerable version of ProFTPD, or they ship a version compiled with stack smashing protection. Although
Metasploit
ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
metasploit
ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code.
Bugzilla
CVE-2010-4221 CVE-2010-3867 proftpd various flaws [fedora-all]
bugzilla·2010-11-09·CVSS 7.1
CVE-2010-4221 [HIGH] CVE-2010-4221 CVE-2010-3867 proftpd various flaws [fedora-all]
CVE-2010-4221 CVE-2010-3867 proftpd various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=651607
Please note: this issue affects multiple supported v
Bugzilla
CVE-2010-4221 proftpd: multiple stack-based buffer overflows in pr_netio_telnet_gets()
bugzilla·2010-11-09·CVSS 10.0
CVE-2010-4221 [CRITICAL] CVE-2010-4221 proftpd: multiple stack-based buffer overflows in pr_netio_telnet_gets()
CVE-2010-4221 proftpd: multiple stack-based buffer overflows in pr_netio_telnet_gets()
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4221 to
the following vulnerability:
Name: CVE-2010-4221
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4221
Assigned: 20101109
Reference: MISC: http://www.zerodayinitiative.com/advisories/ZDI-10-229/
Reference: CONFIRM: http://bugs.proftpd.org/show_bug.cgi?id=3521
Reference: CONFIRM: http://www.proftpd.org/docs/NEWS-1.3.3c
Reference: BID:44562
Reference: URL: http://www.securityfocus.com/bid/44562
Reference: SECUNIA:42052
Reference: URL: http://secunia.com/advisories/42052
Multiple stack-based buffer overflows in the pr_netio_telnet_gets
function in netio.c in ProFTPD before 1.3.3c allow remote attackers to
execute arbi
arXiv
CheckedCBox: Type Directed Program Partitioning with Checked C for Incremental Spatial Memory Safety
arxiv_fulltext·2023-02-03
CheckedCBox: Type Directed Program Partitioning with Checked C for Incremental Spatial Memory Safety
: Type Directed Program Partitioning with for Incremental Spatial Memory Safety (Extended Version)
: Type Directed Program Partitioning with for Incremental Spatial Memory Safety
Liyi Li^*, Arunkumar Bhattar^* ^ , Le Chang, Mingwei Zhu, and Aravind Machiry^
University of Maryland ^ Purdue University
## Abstract
Spatial memory safety violation is still a major issue for C programs.
Checked C is a safe dialect of C and extends it with checked pointer types and annotations that guarantee spatial memory safety in a backward compatible manner, allowing the mix of checked pointers and regular (unchecked) pointer types.
However, unchecked code vulnerabilities can violate the checked code's spatial safety guarantees.
We present , which adds a flexible, type directed program partitioning mech
http://bugs.proftpd.org/show_bug.cgi?id=3521http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050687.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/050703.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/050726.htmlhttp://secunia.com/advisories/42052http://secunia.com/advisories/42217http://www.mandriva.com/security/advisories?name=MDVSA-2010:227http://www.proftpd.org/docs/NEWS-1.3.3chttp://www.securityfocus.com/bid/44562http://www.vupen.com/english/advisories/2010/2941http://www.vupen.com/english/advisories/2010/2959http://www.vupen.com/english/advisories/2010/2962http://www.zerodayinitiative.com/advisories/ZDI-10-229/http://bugs.proftpd.org/show_bug.cgi?id=3521http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050687.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/050703.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/050726.htmlhttp://secunia.com/advisories/42052http://secunia.com/advisories/42217http://www.mandriva.com/security/advisories?name=MDVSA-2010:227http://www.proftpd.org/docs/NEWS-1.3.3chttp://www.securityfocus.com/bid/44562http://www.vupen.com/english/advisories/2010/2941http://www.vupen.com/english/advisories/2010/2959http://www.vupen.com/english/advisories/2010/2962http://www.zerodayinitiative.com/advisories/ZDI-10-229/
2010-11-09
Published