Re: shell to root through ftp?

[Chris Umphress <umphress () gmail com>]

> -What are the possible implications if they are
> allowed to traverse and enter every directory
> including / (root) but excluding /root (due to
> permissions set)? Are they able to get a shell prompt
> through ftp only?

The largest implication is that they could download files or upload
files where they don't belong. I would not recommend letting users do
this.

> -apache 1.3 is also running on the same box, hence,
> the users are granted access to www-root. One possible
> scenario I can think of is by uploading netcat and
> running it using HTTP. Can it be done through apache?
> If so, how?

Do you have any server-side scripting languages installed/enabled?
SSI, PHP, etc. could be used to run a program or possibly read/write
files on your system.

> -Are there any avenues for privilege escalation to
> rootuser here?

If your file permissions are very restrictive, it would minimize the
risk. Also, you would want to remove root's ability to log in remotely
at all. The HTTP server depends on whether you have server-side
scripting installed in any way. If you do, you might as well give them
shell access as the user your server runs as.

> -Are there any other scenarios which utilizes ftp as
> an attack vector to get a shell prompt ? (please
> exclude rootkits, chmod to protect /bin, www-root
> etc).

I'll leave that question for someone else.

--Chris

-- 
Chris Umphress <http://daga.dyndns.org/>