Security Basics mailing list archives
Re: shell to root through ftp?
From: bcl () brianlane com
Date: Thu, 4 Nov 2004 12:47:55 -0800
On Thu, Nov 04, 2004 at 01:47:55AM -0800, fIrestOrm wrote:
Hi, I have a question that has been bugging me for days. I plan to run an ftp server on my home pc runing redhat to serve some users. For those users, they will have their home directory configured as their default directory when they log on to ftp. My questions are: -What are the possible implications if they are allowed to traverse and enter every directory including / (root) but excluding /root (due to permissions set)? Are they able to get a shell prompt through ftp only?
Depends on the ftp server you use. My recomendation is ncftpd, its not open but is free for under 10 simultaneous users and is rock solid. It also allows you to setup virtual ftp users with them limited to a specific directory tree (for example my users are limited to their web directory and have no ftp access to the rest of their /home/user tree). Another important consideration is passwords, DO NOT, under any circumstances use the same passwords for ftp as for any other service. They are sent in the clear and are therefore susceptible to packet sniffing.
-apache 1.3 is also running on the same box, hence, the users are granted access to www-root. One possible scenario I can think of is by uploading netcat and running it using HTTP. Can it be done through apache? If so, how? -Are there any avenues for privilege escalation to rootuser here?
Any time you allow users on your box there is the possibility of escalation. Either through malicious users, bugs in the daemon used or weak/sniffed passwords. Don't allow anoanymous users to upload anything that can be accessed by the webserver. This is just asking for trouble (eg. a simple php script could be uploaded and then run by the webserver).
-Are there any other scenarios which utilizes ftp as an attack vector to get a shell prompt ? (please exclude rootkits, chmod to protect /bin, www-root etc).
FTP really isn't a very good way to allow users to access their home directories. A better solution would be to use sftp so that nothing is in the clear. There are ways to lock accounts to only use sftp and disallow direct ssh. See Brian Hatch's excellent articles on SSH at http://www.hackinglinuxexposed.com/articles/ Brian -- ---[Office 69.6F]--[Fridge 35.1F]---[Fozzy 87.3F]--[Coaster 69.9F]--- Linux Software Developer http://www.brianlane.com
Attachment:
_bin
Description:
Current thread:
- shell to root through ftp? fIrestOrm (Nov 04)
- Re: shell to root through ftp? bcl (Nov 05)
- Re: shell to root through ftp? Chris Umphress (Nov 05)
- Re: shell to root through ftp? xyberpix (Nov 05)