Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: shell to root through ftp?

From: bcl () brianlane com
Date: Thu, 4 Nov 2004 12:47:55 -0800
On Thu, Nov 04, 2004 at 01:47:55AM -0800, fIrestOrm wrote:

Hi,

I have a question that has been bugging me for days. I
plan to run an ftp server on my home pc runing redhat
to serve some users. For those users, they will have
their home directory configured as their default
directory when they log on to ftp.

My questions are:

-What are the possible implications if they are
allowed to traverse and enter every directory
including / (root) but excluding /root (due to
permissions set)? Are they able to get a shell prompt
through ftp only? 


Depends on the ftp server you use. My recomendation is ncftpd, its not open
but is free for under 10 simultaneous users and is rock solid. It also
allows you to setup virtual ftp users with them limited to a specific
directory tree (for example my users are limited to their web directory and
have no ftp access to the rest of their /home/user tree).

Another important consideration is passwords, DO NOT, under any
circumstances use the same passwords for ftp as for any other service. They
are sent in the clear and are therefore susceptible to packet sniffing.



-apache 1.3 is also running on the same box, hence,
the users are granted access to www-root. One possible
scenario I can think of is by uploading netcat and
running it using HTTP. Can it be done through apache?
If so, how?

-Are there any avenues for privilege escalation to
rootuser here?


Any time you allow users on your box there is the possibility of escalation.
Either through malicious users, bugs in the daemon used or weak/sniffed
passwords. Don't allow anoanymous users to upload anything that can be
accessed by the webserver. This is just asking for trouble (eg. a simple php
script could be uploaded and then run by the webserver).



-Are there any other scenarios which utilizes ftp as
an attack vector to get a shell prompt ? (please
exclude rootkits, chmod to protect /bin, www-root
etc).


FTP really isn't a very good way to allow users to access their home
directories. A better solution would be to use sftp so that nothing is in
the clear. There are ways to lock accounts to only use sftp and disallow
direct ssh. See Brian Hatch's excellent articles on SSH at
http://www.hackinglinuxexposed.com/articles/

Brian

-- 
---[Office 69.6F]--[Fridge 35.1F]---[Fozzy 87.3F]--[Coaster 69.9F]---
Linux Software Developer                     http://www.brianlane.com

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: