Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
10
CVSSv2

CVE-2010-4221

Published: 09/11/2010 Updated: 15/09/2011
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Proftpd

Vulnerability Summary

Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD prior to 1.3.3c allow remote malicious users to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

proftpd proftpd 1.3.2

proftpd proftpd 1.3.3

Exploits

Exploit DB: ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)
## # $Id: proftp_telnet_iacrb 11208 2010-12-02 21:10:03Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' cla ...
Exploit DB: ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit)
## # $Id: proftp_telnet_iacrb 11525 2011-01-09 23:33:24Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' cla ...
Exploit DB: ProFTPd IAC 1.3.x - Remote Command Execution
# Exploit Title: ProFTPD IAC Remote Root Exploit # Date: 7 November 2010 # Author: Kingcope # # E-DB Note: If you have issues with this exploit, alter lines 549, 555 and 563 use IO::Socket; $numtargets = 13; @targets = ( # Plain Stack Smashing #Confirmed to work ["FreeBSD 81 i386, ProFTPD 133a Server (binary)",# PLATFORM SPEC "FreeBS ...

Nmap Scripts

ftp-vuln-cve2010-4221

Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code within the context of the proftpd process (CVE-2010-4221). Authentication is not required to exploit this vulnerability.

nmap --script ftp-vuln-cve2010-4221 -p 21 <host>

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-vuln-cve2010-4221:
|   VULNERABLE:
|   ProFTPD server TELNET IAC stack overflow
|     State: VULNERABLE
|     IDs:  CVE:CVE-2010-4221  BID:44562  OSVDB:68985
|     Risk factor: High  CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
|     Description:
|       ProFTPD server (version 1.3.2rc3 through 1.3.3b) is vulnerable to
|       stack-based buffer overflow. By sending a large number of TELNET_IAC
|       escape sequence, a remote attacker will be able to corrupt the stack and
|       execute arbitrary code.
|     Disclosure date: 2010-11-02
|     References:
|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4221
|       http://osvdb.org/68985
|       http://www.metasploit.com/modules/exploit/freebsd/ftp/proftp_telnet_iac
|       http://bugs.proftpd.org/show_bug.cgi?id=3521
|_      http://www.securityfocus.com/bid/44562
ftp-vuln-cve2010-4221

Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code within the context of the proftpd process (CVE-2010-4221). Authentication is not required to exploit this vulnerability.

nmap --script ftp-vuln-cve2010-4221 -p 21 <host>

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-vuln-cve2010-4221:
|   VULNERABLE:
|   ProFTPD server TELNET IAC stack overflow
|     State: VULNERABLE
|     IDs:  CVE:CVE-2010-4221  BID:44562
|     Risk factor: High  CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
|     Description:
|       ProFTPD server (version 1.3.2rc3 through 1.3.3b) is vulnerable to
|       stack-based buffer overflow. By sending a large number of TELNET_IAC
|       escape sequence, a remote attacker will be able to corrupt the stack and
|       execute arbitrary code.
|     Disclosure date: 2010-11-02
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4221
|       http://www.metasploit.com/modules/exploit/freebsd/ftp/proftp_telnet_iac
|       http://bugs.proftpd.org/show_bug.cgi?id=3521
|_      https://www.securityfocus.com/bid/44562

Github Repositories

https://github.com/M31MOTH/cve-2010-4221

This exploit was written to study some concepts, enjoy!

cve-2010-4221 This exploit was written to study some concepts, enjoy! Usage Proftpd Telnet IAC remote generic exploit Writen by: F0rb1dd3n Usage: /proftpd-exploit &lt;target IP&gt; &lt;target PORT&gt; &lt;attack type&gt; Attack Types: 0 - Socket Reuse 1 - Reverse Shell 2 - Bind Shell 3 - Your own shell

https://github.com/ankh2054/python-exploits

Repository for python exploits

python-exploits Repository for python exploits MS08-067 This module exploits a parsing flaw in the path canonicalization code of NetAPI32dll through the Server Service This module is capable of bypassing NX on some operating systems and service packs The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing W

https://github.com/mokrunka/python-exploits

Repository for python exploits

python-exploits Repository for python exploits MS08-067 This module exploits a parsing flaw in the path canonicalization code of NetAPI32dll through the Server Service This module is capable of bypassing NX on some operating systems and service packs The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing W

https://github.com/fantastictamil/ctf-writeups

nmap network mapper ports direct trafic 65535 well-known ports 1023 version check $ nmap -v Starting Nmap 791 ( nmaporg ) at 2021-08-02 12:13 IST Read data files from: /usr/bin//share/nmap WARNING: No targets were specified, so 0 hosts scanned Nmap done: 0 IP addresses (0 hosts up) scanned in 005 seconds syn scan $ sudo

References

CWE-119http://secunia.com/advisories/42052http://www.securityfocus.com/bid/44562http://www.zerodayinitiative.com/advisories/ZDI-10-229/http://www.proftpd.org/docs/NEWS-1.3.3chttp://bugs.proftpd.org/show_bug.cgi?id=3521http://secunia.com/advisories/42217http://www.mandriva.com/security/advisories?name=MDVSA-2010:227http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050687.htmlhttp://www.vupen.com/english/advisories/2010/2962http://www.vupen.com/english/advisories/2010/2941http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050726.htmlhttp://www.vupen.com/english/advisories/2010/2959http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050703.htmlhttps://nvd.nist.govhttps://github.com/M31MOTH/cve-2010-4221https://www.exploit-db.com/exploits/16878/
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook