cbcvebase.
CVE-2015-3306
published 2015-05-18

CVE-2015-3306: The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.

PriorityP181critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
96.80%
99.9th percentile
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.

Affected

10 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianproftpd-dfsg< proftpd-dfsg 1.3.5-2 (bookworm)proftpd-dfsg 1.3.5-2 (bookworm)
debianproftpd-dfsg< proftpd-dfsg 1.3.6-6 (bookworm)proftpd-dfsg 1.3.6-6 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
proftpdproftpd<= 1.3.5b
proftpdproftpd
siemenssimatic_cp_1543-1_firmware>= 2.0 < 2.22.2

Detection & IOCsextracted from sources · hover to see the quote

commandSITE CPFR /proc/self/cmdline
commandSITE CPTO /tmp/.<random>
commandSITE CPFR /proc/self/fd/3
commandSITE CPTO /var/www/html/test.php
commandSITE CPFR /etc/passwd
path/proc/self/cmdline
path/var/www/html/test.php
yara
words: ["Copy successful"]
  • Detect unauthenticated SITE CPFR / SITE CPTO FTP command sequences — the exploit chain requires no authentication and uses these two commands to stage and drop a PHP webshell.
  • Alert on FTP sessions that issue SITE CPFR targeting /proc/self/cmdline or /proc/self/fd/3 — these are the specific proc paths used to smuggle a PHP payload.
  • Alert on FTP sessions that issue SITE CPTO to web-accessible directories (e.g. /var/www) with a .php extension — this is the final step that enables HTTP-triggered RCE.
  • Check FTP server response for '350' to SITE CPFR /etc/passwd as a vulnerability-check indicator — the Metasploit module uses this response to confirm exploitability.
  • Monitor HTTP requests to randomly-named .php files in the web root immediately following an FTP session — the exploit executes the dropped payload via a GET request.
  • Look for the string 'Copy successful' in FTP server responses as a network-level indicator that a SITE CPFR/CPTO operation completed successfully.
  • ·Anonymous FTP access is disabled by default when installing ProFTPD via APT or YUM, but is ENABLED by default in source installs from proftpd.org — source-installed servers are exploitable without any credentials.
  • ·The mod_copy module (which contains the vulnerable SITE CPFR/CPTO commands) was not included in default ProFTPD installations until version 1.3.4 — earlier versions are not affected.
  • ·The ProFTPD service runs as 'nobody' by default, meaning copied files and executed payloads inherit those low privileges — but this is still sufficient for webshell deployment if the web directory is world-writable.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.