cbcvebase.
CVE-2011-2523
published 2019-11-27

CVE-2011-2523: vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp.

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
96.18%
99.9th percentile
vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianvsftpd
vsftpdvsftpd
vsftpd_projectvsftpd

Detection & IOCsextracted from sources · hover to see the quote

port6200/tcp
versionvsftpd 2.3.4
filenamevsftpd-2.3.4.tar.gz
commandUSER <username>:)
commandUSER nergal:)
port21/tcp
  • Detect the backdoor trigger pattern: any FTP USER command containing a smiley face ':)' suffix (e.g., 'USER <anything>:)') on port 21/tcp is the backdoor activation sequence for CVE-2011-2523.
  • Monitor for unexpected new listening service on port 6200/tcp following an FTP connection to vsftpd 2.3.4; this indicates successful backdoor activation.
  • Detect connection attempts to port 6200/tcp immediately after an FTP session to port 21/tcp on the same host; this two-step connection pattern is characteristic of the backdoor exploit.
  • The Metasploit module exploit/unix/ftp/vsftpd_234_backdoor (disclosed 2011-07-03) can be used to verify presence of the backdoor; detection of this module's traffic pattern (USER with ':)' then immediate TCP connect to port 6200) is a strong indicator of exploitation.
  • After connecting to the backdoor shell on port 6200, the exploit sends 'id\n' and expects 'uid=' in the response to confirm shell access; monitor for this pattern in network traffic on port 6200.
  • ·The backdoor is only present in vsftpd-2.3.4.tar.gz downloaded between June 30th and July 3rd 2011; installations from outside this window or from trusted package managers are not affected.
  • ·A host firewall blocking port 6200/tcp will prevent the backdoor shell from being reached even if the backdoor is triggered, as observed in the HackTheBox 'Lame' machine scenario.
  • ·The backdoor cannot be reached if the FTP server is configured for anonymous-only access, as the USER command with ':)' suffix will return a 530 response before the backdoor code path is executed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.