id: CVE-2015-1419

info:
  name: vsftpd <= 3.0.2 - Access Restriction Bypass
  author: pussycat0x
  severity: medium
  description: |
    vsftpd 3.0.2 and earlier contain a vulnerability that allows remote attackers to bypass access restrictions due to improper parsing of the deny_file configuration directive.
  impact: |
    Unauthenticated attackers can bypass access restrictions configured via the deny_file directive to access files that should be restricted, potentially exposing sensitive data on vsftpd servers.
  remediation: |
    Update vsftpd to a version newer than 3.0.2 that properly parses and enforces the deny_file configuration directive to prevent access restriction bypass.
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
    cvss-score: 5
    cve-id: CVE-2015-1419
    epss-score: 0.76094
    epss-percentile: 0.98941
    cpe: cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: opensuse
    product: opensuse
    shodan-query: "vsFTPd"
  tags: cve,cve2015,network,ftp,vsftpd,tcp,passive,vuln

tcp:
  - inputs:
      - data: 00000000
        type: hex

    host:
      - "{{Hostname}}"

    port: 21
    read-size: 1024

    matchers:
      - type: dsl
        dsl:
          - "contains(raw, 'vsFTPd')"
          - "compare_versions(version, '<= 3.0.2')"
        condition: and

    extractors:
      - type: regex
        group: 1
        name: version
        regex:
          - "vsFTPd ([0-9.]+)"
# digest: 4a0a00473045022100b4da887c5c00347f469b1f325b32da801bc8e39623ffe86531f301e23e584a6e022018eea5b10f307fa0ddfa5e98ce960487dcac7f05f31ad9aac85d1a7b2342479b:922c64590222798bb761d5b6d8e72950