Hi. On Thu, Jan 03, 2002 at 01:24:16PM -0500, KF wrote: > Heres the latest versvion of ftp4all that I can find... version 3.012 This > program is OLD and looks unmaintained its also got overflows so I wouldnt > use it. Back your claims up. Last time I audited ftp4all it was quite secure, I doubt your find anything remotely in it. The successor of ftp4all, OpenFTPD (www.openftpd.org), which does contain a lot of new and rewritten code though, may be vulnerable though (at least last time I audited it). > Heres is a nice *feature* I have found in ftp4all. Yes, its a feature. > Joe Schmoe uses my server and knows default user is root with no pass 'root' is the default superuser that runs this ftpd. FTP4ALL uses an internal uid mapping, and root is the user that is granted all permissions the ftp4all process has. This includes the ability to exchange the ftpd configuration while the server is running, disable and re-enable the service, add and remove users, and many other nice features. One of them is the ability to execute shell commands. Since the 'root' user of ftp4all is the one who runs the ftp daemon from the shell anyway, executing a quick command from within ftp does not hurt anyone. > sh-2.05$ ftp kf.ftp4all.boxen 2000 > Connected to kf.ftp4all.boxen > 220 FTP4ALL Server 3.012 (05/Mar/2000) ready. > Name (localhost:nobody): root > 331 Password required for root. > Password: <default no passwd> > 230 User root logged in. > Remote system type is UNIX. > Using binary mode to transfer files. > Lets use the built in w command to see whos logged in to ftpd > ftp> site w > 211- NR HANDLE GROUP ON-TM AC-TM MUP/MDN ACTIVITY / (LAST ACTIVITY) > 211- 01?root 0 00:01 00:00 0/ 0 (LOGIN) > 211 FTP4ALL v3.012 HH:MM MM:SS ON-TM=ONLINE TIME / AC-TM=ACTIVITY TIME > > Lets try it another way ... this looks like w output from a shell. > ftp> site exec w > 200- 6:16pm up 14:32, 2 users, load average: 0.00, 0.02, 0.04 > 200-USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT > 200-root tty1 - 3:47am 14:28m 3.22s 0.07s xinit /etc/X11/ > 200-root pts/0 - 3:48am 14:28m 0.03s 0.03s /bin/cat > 200 EXEC finished with exitcode 0. > so obviously you run commands as whoever this program was run as. The > company suggests a non priv user like nobody. But if you are dumb you may > have ran this as root. Have fun. Lets try a "real" situation, where a ftp4all user logs into the ftpd, and not the user who installed the ftpd. 220 FTP server ready. Name (localhost:scut): test 331 Password required for test. Password: 230-Welcome, test - I have not seen you since Fri Jan 04, 2002 09:33 ! 230-At the moment, there are 0 guest and 1 registered users logged in. 230 You uploaded 261.3 MB and downloaded 2.281 GB so far (u/d-ratio is 11.2). Remote system type is UNIX. Using binary mode to transfer files. ftp> site user list 550 You cannot list users except yourself. ftp> site w 211- NR HANDLE GROUP ON-TM AC-TM MUP/MDN ACTIVITY / (LAST ACTIVITY) 211- 01·test user 00:00 00:05 0/ 0 (LOGIN) 211- FTP4ALL v2.27 HH:MM MM:SS ON-TM=ONLINE TIME / AC-TM=ACTIVITY TIME 211 ftp> quote SITE EXEC id 550 You are not superuser. ftp> So lets conclude: This is a perfect legal feature, not a bug, and not a security vulnerability. > -KF -scut -- -. scutat_private-berlin.de -. + http://segfault.net/~scut/ `--------------------. -' segfault.net/~scut/pgp `' 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07 `- two BLU-118b available for exchange against t/s atomal data. hi echelon --'
This archive was generated by hypermail 2b30 : Fri Jan 04 2002 - 10:29:54 PST