Re: ftp conversions exploit

From: Gregory A Lundberg (lundberg@WU-FTPD.ORG)
Date: Fri Dec 24 1999 - 19:01:31 PST

Next message: Lamont Granquist: "Re: ftp conversions exploit"

Previous message: Pavel Machek: "strace can lie"
Next in thread: Lamont Granquist: "Re: ftp conversions exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Dec 24, 1999 at 08:51:21AM +0200, Alexey Chetroi wrote:

> On Wed, 22 Dec 1999, David Malone wrote:
>
> > On Wed, Dec 22, 1999 at 04:47:25AM +0000, Desi Hacker wrote:
> >
> > The ftpaccess man page contains the following example line:
> >
> > 	path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^\. ^-
> >
> > which disallows filenames starting with . or - to anonymous users.
> > Maybe your ftpaccess line contains this?
>
> it doesn't disallow filenames starting with . or -, it disallows
> filenames with spaces

Lo, he readeth from the manpage ...

       path-filter <typelist> <mesg> <allowed_charset>
            {<disallowed reg-exp> ...}

            For users in <typelist>, path-filter defines  regular
            expressions  that  control what a filename can or can
            not be.  There may be  multiple  disallowed  regexps.
            If  a filename is invalid due to failure to match the
            regexp criteria, <mesg>  will  be  displayed  to  the
            user.  For example:

                path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^\. ^-

            specifies  that  all  upload  filenames for anonymous
            users must be made of only the characters  A-Z,  a-z,
            0-9,  and  "._-"  and  may not begin with a "."  or a
            "-".  If the filename is invalid,  /etc/pathmsg  will
            be displayed to the user.

Taking unto his heart his own advice, he commanded:

$ grep 'path-filter' /etc/ftpaccess
path-filter anonymous,guest /etc/pathmsg ^[-A-Za-z0-9._]*$ ^\. ^-

And, knowing he was a guest unto himself, he bespoke unto the daemon:

$ ftp ftp.vr.net
Connected to www.vr.net.
220 ftp.vr.net FTP server ready.
Name (ftp.vr.net:lundberg):
331 Password required for lundberg.
Password:
230 User lundberg logged in.  Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put da -da
local: da remote: -da
200 PORT command successful.
550 -da: Permission denied on server. (Filename (deny))
ftp> put da .da
local: da remote: .da
200 PORT command successful.
550 .da: Permission denied on server. (Filename (deny))
ftp> ren da .da
350 File exists, ready for destination name
550 .da: Permission denied on server. (Filename (deny))
ftp> ren da -da
350 File exists, ready for destination name
550 -da: Permission denied on server. (Filename (deny))
ftp> quit
You have transferred 0 bytes in 0 files.
221-Total traffic for this session was 723 bytes in 0 transfers.
221-Thank you for using the FTP service on ftp.vr.net.
221 Goodbye.

And, upon seeing the words were good and true, he rested.

--

Gregory A Lundberg              WU-FTPD Development Group
1441 Elmdale Drive              lundberg@wu-ftpd.org
Kettering, OH 45409-1615 USA    1-800-809-2195

Next message: Lamont Granquist: "Re: ftp conversions exploit"
Previous message: Pavel Machek: "strace can lie"
Next in thread: Lamont Granquist: "Re: ftp conversions exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:23:34 PDT