Re: [PEN-TEST] ftp etc/passwd

[Alan Olsen <alan () CLUESERVER ORG>]

On Tue, 28 Nov 2000, Bill Weiss wrote:

> Seth Georgion(sgeorgion () ECLOSER COM)@Tue, Nov 28, 2000 at 02:50:13PM -0800:
> > I'm doing a pen-test on a Solaris/NT network and I found a Solaris server
> > with anonymous ftp on and with what appears to be the root directory of a
> > user on the system. Pardon my terminology as my experience lies mostly with
> > NT. Anyway, inside etc is passwd, which I suppose I need to get to wrap this
> > out, however everytime I try and retrieve it I get the error
> >
> > ftp> get /etc/passwd
> > 200 PORT command successful.
> > 550 /etc/passwd is marked unretrievable
> >
> > Another one of the folders reports access denied but this one definitely
> > does not.
> >
> > Anybody have an idea on what I am doing wrong or how to get access to it.
>
> (If anyone knows this better than I, speak up)
>
> I doubt that the FTP server really is giving you the root directory.
> It probably is chroot()ing (or something similar).
>
> I imagine that, when writing a FTP server, I would just keep anonymous users
> from downloading even the fake /etc/passwd, which it may.  Not knowing Solaris
> (Slack-type myself...), it's a guess.

Most likely it is a chrooted directory.

Wu-ftpd and a few others have an /etc/passwd, as well as /bin, /lib,
and /etc. (I am doing this from memory, so sorry if I accidently miss
something.)

/bin contains "ls", "gzip" and a few other needed commands. The
permissions should be set so that the daemon can get to them, but no-one
else can.  (I have seen crackers put a copy of "sh" there as a backdoor.)

/etc contains a modified copy of /etc/passwd used for guest accounts and
that is about it. Usually the passwords has been removed. It is more of a
stub than anything.  There will also be a hacked down version of
/etc/group.

/lib will contain the libraries needed to allow "ls" and the other
commands to work.  (Most ftp packages do not include statically linked
versions of these utilities.)

Where are the problems?

The ftp daemon usually reveals what version it is via the banner when you
connect via anonymous ftp.  From this you can determine if it is the stock
daemon, what version it is, and possibly who built it.

Other things to look for are if the "chmod" command works, if there are
writable directories, if you can create directories, if you can write to
/etc, /lib, or /etc, and so on.

Crackers will not just look to root the site.  Some want the ftp server to
distribute "warez" and other forbidden bit patterns. Being able to create
files and directories allows them to do that.  (Having it happen can be
harmful to your bandwidth.)

alan () ctrl-alt-del com | Note to AOL users: for a quick shortcut to reply
Alan Olsen            | to my mail, just hit the ctrl, alt and del keys.
    "In the future, everything will have its 15 minutes of blame."