ProFTPD versions 1.2.x (including 1.2.8 and 1.2.10) are vulnerable to timing attacks that allow remote attackers to distinguish valid usernames from invalid ones. The server responds in varying amounts of time when a given username exists, enabling username enumeration through response time analysis.
PoC代码[已公开]
id: CVE-2004-1602
info:
name: ProFTPD 1.2.x - Username Enumeration via Timing Attack
author: pussycat0x
severity: medium
description: |
ProFTPD versions 1.2.x (including 1.2.8 and 1.2.10) are vulnerable to timing attacks that allow remote attackers to distinguish valid usernames from invalid ones. The server responds in varying amounts of time when a given username exists, enabling username enumeration through response time analysis.
reference:
- http://marc.info/?l=bugtraq&m=109786760926133&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17724
classification:
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
cvss-score: 5
cve-id: CVE-2004-1602
cwe-id: CWE-203
epss-score: 0.0083
epss-percentile: 0.73808
cpe: cpe:2.3:a:proftpd:proftpd:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: proftpd
product: proftpd
shodan-query:
- product:"proftpd"
- cpe:"cpe:2.3:a:proftpd:proftpd"
tags: cve,cve2004,network,ftp,proftpd,tcp,passive,timing-attack,user-enum,vuln
tcp:
- inputs:
- data: 00000000
type: hex
host:
- "{{Hostname}}"
port: 21
read-size: 1024
matchers:
- type: dsl
dsl:
- "contains(raw, 'ProFTPD')"
- "compare_versions(version, '>= 1.2.0', '<= 1.2.10')"
condition: and
extractors:
- type: regex
group: 1
name: version
regex:
- "ProFTPD ([0-9.]+)"
# digest: 4b0a00483046022100cba56ae1b6404a0a3a31c19d971680a6f0b4ca859bc4a0fcf1383b179969fe92022100bb45bb281302003a0d8a677025c83d0ef35944bd6f5473956ae9c30f76fa8969:922c64590222798bb761d5b6d8e72950