Re: Retarded *feature* in ftp4all

[Sebastian <scut () nb in-berlin de>]

Hi.


On Thu, Jan 03, 2002 at 01:24:16PM -0500, KF wrote:

> Heres the latest versvion of ftp4all that I can find... version 3.012 This
> program is OLD and looks unmaintained its also got overflows so I wouldnt
> use it. 

Back your claims up. Last time I audited ftp4all it was quite secure, I
doubt your find anything remotely in it.

The successor of ftp4all, OpenFTPD (www.openftpd.org), which does contain a
lot of new and rewritten code though, may be vulnerable though (at least
last time I audited it).


> Heres is a nice *feature* I have found in ftp4all. 
 
Yes, its a feature.


> Joe Schmoe uses my server and knows default user is root with no pass

'root' is the default superuser that runs this ftpd. FTP4ALL uses an
internal uid mapping, and root is the user that is granted all permissions
the ftp4all process has. This includes the ability to exchange the ftpd
configuration while the server is running, disable and re-enable the
service, add and remove users, and many other nice features. One of them is
the ability to execute shell commands. Since the 'root' user of ftp4all is
the one who runs the ftp daemon from the shell anyway, executing a quick
command from within ftp does not hurt anyone.


> sh-2.05$ ftp kf.ftp4all.boxen  2000
> Connected to kf.ftp4all.boxen
> 220 FTP4ALL Server 3.012 (05/Mar/2000) ready.
> Name (localhost:nobody): root
> 331 Password required for root.
> Password: <default no passwd>
> 230 User root logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.

> Lets use the built in w command to see whos logged in to ftpd
> ftp> site w
> 211- NR HANDLE    GROUP     ON-TM AC-TM MUP/MDN ACTIVITY / (LAST ACTIVITY)
> 211- 01?root      0         00:01 00:00   0/  0 (LOGIN)
> 211  FTP4ALL v3.012         HH:MM MM:SS ON-TM=ONLINE TIME / AC-TM=ACTIVITY TIME
>
> Lets try it another way ... this looks like w output from a shell. 
> ftp> site exec w
> 200-  6:16pm  up 14:32,  2 users,  load average: 0.00, 0.02, 0.04
> 200-USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
> 200-root     tty1     -                 3:47am 14:28m  3.22s  0.07s  xinit /etc/X11/
> 200-root     pts/0    -                 3:48am 14:28m  0.03s  0.03s  /bin/cat
> 200 EXEC finished with exitcode 0.

> so obviously you run commands as whoever this program was run as. The
> company suggests a non priv user like nobody. But if you are dumb you may
> have ran this as root. Have fun. 

Lets try a "real" situation, where a ftp4all user logs into the ftpd, and
not the user who installed the ftpd.

220 FTP server ready.
Name (localhost:scut): test
331 Password required for test.
Password:
230-Welcome, test - I have not seen you since Fri Jan 04, 2002 09:33 !
230-At the moment, there are 0 guest and 1 registered users logged in.
230 You uploaded 261.3 MB and downloaded 2.281 GB so far (u/d-ratio is
11.2).
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> site user list
550 You cannot list users except yourself.
ftp> site w
211- NR HANDLE    GROUP     ON-TM AC-TM MUP/MDN ACTIVITY / (LAST ACTIVITY)
211- 01?test      user      00:00 00:05   0/  0 (LOGIN)
211- FTP4ALL v2.27          HH:MM MM:SS ON-TM=ONLINE TIME / AC-TM=ACTIVITY
TIME
211  
ftp> quote SITE EXEC id
550 You are not superuser.
ftp>


So lets conclude: This is a perfect legal feature, not a bug, and not a
security vulnerability.

> -KF

-scut

-- 
-. scut () nb in-berlin de -. + http://segfault.net/~scut/ `--------------------.
-' segfault.net/~scut/pgp `' 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
`- two BLU-118b available for exchange against t/s atomal data. hi echelon --'