cbcvebase.
CVE-2023-51713
published 2023-12-22

CVE-2023-51713: make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of-bounds read, and daemon crash, because of mishandling of quote/backslash semantics.

PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
4.25%
89.8th percentile
make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of-bounds read, and daemon crash, because of mishandling of quote/backslash semantics.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianproftpd-dfsg< proftpd-dfsg 1.3.8+dfsg-4+deb12u3 (bookworm)proftpd-dfsg 1.3.8+dfsg-4+deb12u3 (bookworm)
proftpdproftpd< 1.3.8a1.3.8a

Detection & IOCsextracted from sources · hover to see the quote

otherProFTPD version < 1.3.8a
bytes
00000000 (hex, sent as TCP input to FTP port 21 to trigger crash)
yara
regex: ProFTPD ([0-9.a-z]+)
  • Banner-grab FTP port 21 and extract ProFTPD version string; flag any banner reporting a version below 1.3.8a as vulnerable.
  • The vulnerability is triggered via mishandling of quote/backslash semantics in make_ftp_cmd (main.c); monitor for FTP commands containing unusual quote/backslash sequences that cause daemon crashes.
  • Use Shodan queries 'product:proftpd' or 'cpe:cpe:2.3:a:proftpd:proftpd' to identify exposed vulnerable instances.
  • A single TCP request of 4 null bytes (hex 00000000) to port 21 with a read-size of 1024 is sufficient to probe for the vulnerability and elicit the ProFTPD banner for version comparison.
  • ·The Nuclei template targets the network/FTP attack surface with no authentication required (PR:N, UI:N); the matcher relies on passive version extraction from the banner, so it will not fire if the banner is suppressed or customised.
  • ·Fixed package versions differ by distro: Debian bookworm requires 1.3.8+dfsg-4+deb12u3, bullseye requires 1.3.7a+dfsg-12+deb11u3, and forky/sid/trixie require 1.3.8.a+dfsg-1; version-based detection must account for these distro-specific patch backports.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_ubuntu5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.