The security researcher Tobias Mädel discovered a vulnerability in the open-source ProFTPD file transfer protocol (FTP) server that can be exploited to copy files to vulnerable servers and potentially execute arbitrary code.
“Tobias Mädel has identified a vulnerability in ProFTPd’s mod_copy. mod_copy is supplied in the default installation of ProFTPd and is enabled by default in most distributions (e.g. Debian).” states the advisory.
The expert explained that the CVE-2019-12815 is technically very similar to the CVE-2015-3306 in ProFTPD, but the old issue is “much more dangerous.”
The vulnerability, tracked as CVE-2019-12815, resides in the mod_copy module that implements commands for copying files and folders on the same server without the necessity to first transfer the data to the client. This module is enabled by default in most operating systems.
“An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.” states the advisory published by Mitre.
In order to exploit the flaw, the attacker needs to have access to the targeted machine.
Querying the Shodan search engine for “ProFTPd Anonymous” (i.e., servers that allow anonymous access) it is possible to find over 28,000 potentially exposed to hacking. Most of the servers are in the United States (9,443), followed by Germany (2,638) and Japan (2,002). The attacker would have to connect to the server and attempt to issue a command to determine if it is vulnerable.
Experts pointed out that the flaw could allow remote code execution only if the server has a certain configuration.
“I’ve seen web servers using ProFTPd with PHP and anonymous access. In this scenario RCE is possible,” the expert told
Below the timeline for the flaw:
A patch addressing the flaw is already available, it was
As a workaround, admins can disable the mod_copy module in the ProFTPd configuration file.