id: CVE-2024-48651

info:
  name: ProFTPD ≤ 1.3.8b - Privilege Escalation via mod_sql
  author: pussycat0x
  severity: high
  description: |
    ProFTPD versions through 1.3.8b (before commit cec01cc) contain a vulnerability in the mod_sql module due to improper handling of supplemental groups. This flaw allows authenticated users without explicitly assigned supplemental groups to inherit root group privileges (GID 0), potentially granting unauthorized access to sensitive system resources.
  impact: |
    Authenticated users can exploit improper supplemental group handling in mod_sql to inherit root group privileges (GID 0), potentially accessing sensitive files and system resources restricted to the root group.
  remediation: |
    Upgrade to ProFTPD version newer than 1.3.8b (after commit cec01cc) that properly handles supplemental groups in the mod_sql module.
  reference:
    - https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1
    - https://github.com/proftpd/proftpd/issues/1830
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-48651
    cwe-id: CWE-863
    epss-score: 0.02162
    epss-percentile: 0.79799
  metadata:
    verified: true
    max-request: 1
    shodan-query: product:"ProFTPD"
  tags: cve,cve2024,network,ftp,proftpd,tcp,passive,priv-esc,vuln

tcp:
  - inputs:
      - data: 00000000
        type: hex

    host:
      - "{{Hostname}}"

    port: 21
    read-size: 1024

    matchers:
      - type: dsl
        dsl:
          - "contains(raw, 'ProFTPD')"
          - "compare_versions(version, '<= 1.3.8b')"
        condition: and

    extractors:
      - type: regex
        group: 1
        name: version
        regex:
          - "ProFTPD ([0-9.a-z]+)"
# digest: 4b0a00483046022100feaa02ba55fc9fbc1799983082d01207e84a7517ec8014ffcbc4f5a174d3d7e3022100bc65bbfb3a24a77cd88911a780876bcce35c0d5e2856b52591b4ea58e86ff853:922c64590222798bb761d5b6d8e72950