ProFTPD versions through 1.3.8b (before commit cec01cc) contain a vulnerability in the mod_sql module due to improper handling of supplemental groups. This flaw allows authenticated users without explicitly assigned supplemental groups to inherit root group privileges (GID 0), potentially granting unauthorized access to sensitive system resources.
PoC代码[已公开]
id: CVE-2024-48651
info:
name: ProFTPD ≤ 1.3.8b - Privilege Escalation via mod_sql
author: pussycat0x
severity: high
description: |
ProFTPD versions through 1.3.8b (before commit cec01cc) contain a vulnerability in the mod_sql module due to improper handling of supplemental groups. This flaw allows authenticated users without explicitly assigned supplemental groups to inherit root group privileges (GID 0), potentially granting unauthorized access to sensitive system resources.
reference:
- https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1
- https://github.com/proftpd/proftpd/issues/1830
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-48651
cwe-id: CWE-863
epss-score: 0.17782
epss-percentile: 0.94832
metadata:
verified: true
max-request: 1
shodan-query: product:"ProFTPD"
tags: cve,cve2024,network,ftp,proftpd,tcp,passive,priv-esc,vuln
tcp:
- inputs:
- data: 00000000
type: hex
host:
- "{{Hostname}}"
port: 21
read-size: 1024
matchers:
- type: dsl
dsl:
- "contains(raw, 'ProFTPD')"
- "compare_versions(version, '<= 1.3.8b')"
condition: and
extractors:
- type: regex
group: 1
name: version
regex:
- "ProFTPD ([0-9.a-z]+)"
# digest: 4a0a00473045022031ad57b1bccf32155702b72289681d50f4735c036fb1a50c2bcd4e960407e7a7022100dc25de58c725d9bcd88a51b6263f671a593d8e75be0b36307fed06239e628f2a:922c64590222798bb761d5b6d8e72950