Search for vulnerabilities
Vulnerability details: VCID-hf1x-yzbu-aaac
Vulnerability ID VCID-hf1x-yzbu-aaac
Aliases CVE-2010-4221
Summary Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
System Score Found at
epss 0.83337 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.83337 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.84664 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.84664 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.91958 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92128 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92128 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92128 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92265 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92265 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92265 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92265 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92372 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92372 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92372 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92498 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92888 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92888 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92888 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92888 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92888 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92888 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92888 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92888 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92888 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92888 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.92888 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.93319 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.93319 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.93319 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.93319 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.93319 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.93319 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.93319 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.93319 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
epss 0.93319 https://api.first.org/data/v1/epss?cve=CVE-2010-4221
cvssv2 10.0 https://nvd.nist.gov/vuln/detail/CVE-2010-4221
Reference id Reference type URL
http://bugs.proftpd.org/show_bug.cgi?id=3521
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050687.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050703.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050726.html
https://api.first.org/data/v1/epss?cve=CVE-2010-4221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4221
http://secunia.com/advisories/42052
http://secunia.com/advisories/42217
http://www.mandriva.com/security/advisories?name=MDVSA-2010:227
http://www.proftpd.org/docs/NEWS-1.3.3c
http://www.securityfocus.com/bid/44562
http://www.vupen.com/english/advisories/2010/2941
http://www.vupen.com/english/advisories/2010/2959
http://www.vupen.com/english/advisories/2010/2962
http://www.zerodayinitiative.com/advisories/ZDI-10-229/
602279 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602279
cpe:2.3:a:proftpd:proftpd:1.3.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:proftpd:proftpd:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.2:a:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:proftpd:proftpd:1.3.2:a:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.2:b:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:proftpd:proftpd:1.3.2:b:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.2:c:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:proftpd:proftpd:1.3.2:c:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.2:d:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:proftpd:proftpd:1.3.2:d:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.2:e:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:proftpd:proftpd:1.3.2:e:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.2:rc3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:proftpd:proftpd:1.3.2:rc3:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.2:rc4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:proftpd:proftpd:1.3.2:rc4:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:proftpd:proftpd:1.3.3:*:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.3:a:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:proftpd:proftpd:1.3.3:a:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.3:b:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:proftpd:proftpd:1.3.3:b:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.3:rc1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:proftpd:proftpd:1.3.3:rc1:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.3:rc2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:proftpd:proftpd:1.3.3:rc2:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.3:rc3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:proftpd:proftpd:1.3.3:rc3:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.3:rc4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:proftpd:proftpd:1.3.3:rc4:*:*:*:*:*:*
CVE-2010-4221 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/15449.pl
CVE-2010-4221 https://nvd.nist.gov/vuln/detail/CVE-2010-4221
CVE-2010-4221;OSVDB-68985 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/16851.rb
CVE-2010-4221;OSVDB-68985 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/16878.rb
GLSA-201309-15 https://security.gentoo.org/glsa/201309-15
Data source Exploit-DB
Date added Nov. 7, 2010
Description ProFTPd IAC 1.3.x - Remote Command Execution
Ransomware campaign use Known
Source publication date Nov. 7, 2010
Exploit type remote
Platform linux
Source update date Dec. 4, 2016
Data source Metasploit
Description This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code. The Debian Squeeze version of the exploit uses a little ROP stub to indirectly transfer the flow of execution to a pool buffer (the cmd_rec "res" in "pr_cmd_read"). The Ubuntu version uses a ROP stager to mmap RWX memory, copy a small stub to it, and execute the stub. The stub then copies the remainder of the payload in and executes it. NOTE: Most Linux distributions either do not ship a vulnerable version of ProFTPD, or they ship a version compiled with stack smashing protection. Although SSP significantly reduces the probability of a single attempt succeeding, it will not prevent exploitation. Since the daemon forks in a default configuration, the cookie value will remain the same despite some attempts failing. By making repeated requests, an attacker can eventually guess the cookie value and exploit the vulnerability. The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness and could allow exploitation in semi-reasonable amount of time.
Note 
Stability:
  - crash-service-down
SideEffects:
  - ioc-in-logs
Reliability:
  - unreliable-session
Ransomware campaign use Unknown
Source publication date Nov. 1, 2010
Platform Linux
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ftp/proftp_telnet_iac.rb
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Found at https://nvd.nist.gov/vuln/detail/CVE-2010-4221
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.98672
EPSS Score 0.83337
Published At Dec. 27, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.