A New 'Arbitrary File Copy' Flaw Affects ProFTPD Powered FTP Servers

A German security researcher has publicly disclosed details of a serious vulnerability in one of the most popular FTP server applications, which is currently being used by more than one million servers worldwide.

The vulnerable software in question is ProFTPD, an open source FTP server used by a large number of popular businesses and websites including SourceForge, Samba and Slackware, and comes pre-installed with many Linux and Unix distributions, like Debian.

Discovered by Tobias Mädel, the vulnerability resides in the mod_copy module of the ProFTPD application, a component that allows users to copy files/directories from one place to another on a server without having to transfer the data to the client and back.

According to Mädel, an incorrect access control issue in the mod_copy module could be exploited by an authenticated user to unauthorizedly copy any file on a specific location of the vulnerable FTP server where the user is otherwise not allowed to write a file.

In rare circumstances, the flaw may also lead to remote code execution or information disclosure attacks.

John Simpson, a security researcher at Trend Micro, told The Hacker News that to successfully achieve remote code execution on a targeted server, an attacker needs to copy a malicious PHP file to a location where it can be executed.

Therefore, it's important to note that not every FTP server running vulnerable ProFTPD can be hijacked remotely, since the attacker requires log-in to the respective targeted server, or the server should have anonymous access enabled.
The vulnerability, assigned as CVE-2019-12815, affects all versions of ProFTPd, including the latest 1.3.6 version which was released in 2017.

Since the mod_copy module comes enabled by default in most operating systems using ProFTPD, the flaw could potentially affect a large number of servers.

According to an advisory, the newly discovered issue is related to a 4-year-old similar vulnerability (CVE-2015-3306) in the mod_copy module that allows remote attackers to read and write to arbitrary files via the site CPFR and site CPTO commands.

Mädel reported the vulnerability to ProFTPd project maintainers in September last year, but the team did not take any action to address the issue for more than 9 months.

So, the researcher contacted the Debian Security Team last month, after which the ProFTPD team finally created a patch and just last week backported it to ProFTPD 1.3.6 without releasing a new version of its FTP server.

As a workaround, server administrators can also disable the mod_copy module in the ProFTPd configuration file in order to protect themselves from being a victim of any attack related to this flaw.