Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: A Bug in the Recently Released BetaFTPD0.0.8pre7 (fwd)

A Bug in the Recently Released BetaFTPD0.0.8pre7 (fwd)

From: Bubonic <ssq_at_M-NET.ARBORNET.ORG>
Date: Tue, 21 Dec 1999 22:40:22 -0500

Betaftpd0.0.8pre7

I had just downloaded this program off of freshmeat to test it.
I decided to change it to go on port 21 (ftpd.h). After doing that
I configured and made the program. Than I ran it on my system
(Linux 2.2.9 RH 6.0) and the following logs tell the rest:

------------------------------ran the program------------------------------

bash-2.03# ./betaftpd --enable-xferlog --enable-fullscren
--enable-upload --enable-shadow &
[1] 4753
BetaFTPD version 0.0.8pre7, Copyright (C) 1999 Steinar H. Gunderson
BetaFTPD comes with ABSOLUTELY NO WARRANTY; for details see the file
COPYING. This is free software, and you are welcome to redistribute it
under certain conditions; again see the file COPYING for details.

BetaFTPD active
bash-2.03#
----------------------------------------------------------------------------

Then I decided to ps -aux to find out how it was running

---------------------------------ps -aux----------------------------------
bash-2.03# ps -aux
root 4753 0.0 1.2 1308 384 pts/6 S 17:27 0:00 ./betaftpd
----------------------------------------------------------------------------

Now this seemed all good and dandy running as root as I wanted it
to be.(this is before testing the --enable-nonroot flag).
So I decided to test the stability of the program by ftping to it.
So I did:

----------------------------------ftp log-----------------------------------
bash-2.03# ftp 127.0.0.1
Connected to 127.0.0.1.
220 BetaFTPD 0.0.8pre7 ready.
Name (127.0.0.1:root): bubonic
331 Password required for bubonic.
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Have a nice day!
bash-2.03#
----------------------------------------------------------------------------

I gave the a wrong password on purpose so I go eat dinner and not
goof around anymore but before I went to eat I listed the process
one more time and noticed something a little strange:

------------------------------------ps -aux-------------------------------
bash-2.03# ps -aux
bubonic 4753 0.0 2.1 1360 672 pts/6 S 17:27 0:00 ./betaftpd
----------------------------------------------------------------------------

By not having a sucessful login with the login bubonic the process
was now under my user bubonic. This could cause a DoS for an intruder
who could kill your FTP service. Indeed a big bug. Since it is now
bubonic's PID then that user is able to kill this PID which could
result in a mess.

-Bubonic

P.S. Sorry for poor english I wrote this without food. :)
     Any question or comments please mail me at ssq_at_m-net.arbornet.org
Received on Dec 22 1999

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos